newby

Sun Mar 4 12:44:45 UTC 2007

Simon Ruiz wrote:
[snip]
> So you mean there's a simple way for any user, any student, to get root access to our machines?
>  
> Can this be helped by MAKING a root password?
>  
> Hope this finds you all doing great!
>  
> Simon
[snip]

Kind of long reply!

I am sending this to the devel list, but think that perhaps there are
better places for it, it raises issues that people may wish to take on
board to build better management systems, and for that reason alone I
let it go.

Root adds nothing to the process, other than meaning that all machines
have a similar logon that can be brute force attacked from the console
or remotely that is another arguement, and as strong passwords should be
in use anyway.

Computer security is not an action, nor is it a product, but a set of
behaviours wrapped up in technology, i.e. a process.

If you want to protect the box a little more then put a password on GRUB
and don't forget it. The whole security aspect is very broad and I give
some treatment to the questions involved before you do any more below.

The instructions for doing so are beyond the scope of this mail however:

http://www.ubuntuforums.org/showthread.php?t=7353

WARNING: if you do this you can't really afford to make a mistake if it
is your only way onto the internet.
With physical access to the machine a person with the right knowledge
can still get in.
For instance, if the bios has a password on the machine and you want to
boot off a CDROM what combinations to bypass that measure are available
to you?

Encrypted file systems are an option, costing CPU cycles, thus making
the box slower. This is to say nothing of the cost to convenience if
your hard drive/raid crashes and you need new hardware.
This then creates other issues around your backups, are they to be in
plain text or encrypted, should they be tied to the machine or something
else?

Who will document this process so when the person who sets it up goes
elsewhere, or is sick and something needs to be done and maybe if they
have forgotten how it was done.

How are those instuctions to be held?

Are the computers available for people to interact with zero supervision?

What are you trying to protect, workstations or servers.

At what point do you trust your users, if you say you don't trust them
at all, let me point out they do get to use the boxes.

There is no security system that is fool proof, humans make them, they
can be complex, but humans can and will break them.

Perhaps I'll cease before this becomes a full on discussion of IT
security, it seems that someone hit one of my buttons. ;-)

Regards,

Paul O'Malley