[ale] Linux Distributions
Michael B. Trausch
fd0man at gmail.com
Tue May 17 20:08:51 EDT 2005
ChangingLINKS.com wrote:
>
> I am not going to have this "root" argument/flamewar on this thread.
> There IS a case where one can run as root all of the time safely.\
>
> For those that understand that, probably already know how.
> Those that don't usually cannot be convinced otherwise.
>
Running one program as root all of the time is probably okay if it's a
trustable program. I only use the system default programs that run as
root in this fashion, such as login, getty, init. Production machines
should never use root unless you need the privilege, which isn't
terribly often.
I cannot see a case where you would ever want to ever have a login shell
for root, initiated from a getty, and run that way all of the time.
It's a *huge* risk, because it goes against security common sense, for
more then one reason. Many people are silly enough to leave their login
sessions running, for example. If you do this with root, then anyone
can come in and take over and have complete control of your system.
All of the systems that I configure only use root when you use 'sudo' to
get to it... I make the password something long (usually 100+
pseudorandom alphanumeric characters), and only use sudo to get in, or
an SSH key that is always physically on my person, in the case that I
need to do a password change for someone else, or myself, and I don't
have the ability to login as myself for whatever reason. Other then
that, I use sudo for just about everything, including installing
software, editing config files, and what-not.
In addition, this functionality only works for users in the group
'wheel', of which I'm the only one.
- Mike
--
Michael B. Trausch <fd0man at gmail.com>
Website: http://fd0man.chadeux.net/ Jabber: mtrausch at jabber.com
Phone: +1-(678)-522-7934 FAX (US Only): 1-866-806-4647
===================================================================
Do you have PGP or GPG? Key at pgp.mit.edu, Please Encrypt E-Mail!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
More information about the Ale
mailing list