[ale] Sunday 05-22-05 6PM RUN-AS-ROOT CHALLENGE

Jim Popovitch jimpop at yahoo.com
Thu May 19 14:50:06 EDT 2005


On Thu, 2005-05-19 at 10:59 -0400, Jason Day wrote:
> On Wed, May 18, 2005 at 08:19:11PM -0400, Jim Popovitch wrote:
> > On Wed, 2005-05-18 at 19:10 -0400, Michael B. Trausch wrote:
> > >
> > > You completely ignored the "if not root, software is harder to install
> > > and viruses which attack the OS are harder to catch and such things are
> > > harder to propegate".
> > 
> > I didn't completely ignore it, I just don't think it is relevant.  If a
> > virus can "attack" anything in /home/user that is already a much worse
> > situation.  If something "owns" /bin/ls I've already got worse problems.
> > The fact that the virus could make it to /home/user (where user UID=0 or
> > UID=10001) is the problem to solve, not saving the rest of the (already)
> > sinking ship at that point.
> 
> This is the point I've tried to make over and over that you completely
> miss.  

I haven't missed it, I've just focused on the real issue. ;-)

> Your argument is that to the user, the data is the only thing
> that matters.  

BINGO!

> My argument is that the user has (or, in reality, should
> have) an obligation as a "net citizen" to properly secure their box and
> prevent the spread of malware.

The are not mutually exclusive.  User data can be destroyed via root or
non-root.  Net citizenship is a whole other discussion, and not really
even a user one.  Everyday people (the ones still needing to adopt
Linux) with computers don't think of themselves as net citizens.

> In your view, a user can become infected with malware that turns their
> box into a spam relay, a drone in a distributed botnet, a repository for
> illegal porn or software, but as long as the user's home directory is
> untouched none of that matters.  Users can remain blissfully unaware of
> how their computers are used for nefarious purposes, because their data
> is left alone.

You are mixing apples w/ oranges and producing a fruity argument. ;-)

> 
> > > This is also fact.
> > 
> > Yes, but not one that applies.
> 
> Finally, you admit that the spread of malware is made more difficult as
> non-root.  

No.  Malware is spread via non-root means every second. i.e. SPAM,
phishing scams, viruses.  None of those require "root".

> At least that's something.  I would argue that it does apply,
> for the reasons I gave above.  Since you don't seem to care what your
> computer does, or how it is used, as long as your home directory is left
> alone, can I have an account on your box? ;-)

;-) so with a user account you think you can cause havoc?  Who's
argument are you advocating?

-Jim P.








More information about the Ale mailing list