Help to get started
Reinhold Rumberger
rrumberger at web.de
Fri Nov 12 17:21:20 UTC 2010
On Friday 12 November 2010, Nils Kassube wrote:
> Reinhold Rumberger wrote:
> > On Tuesday 02 November 2010, Nils Kassube wrote:
> > > shawn wilson wrote:
> > > > However, if ctrl+alt+f1 works and you can login there, do:
> > > > sudo passwd # set root password
> > >
> > > Why? Usually there is no real benefit if you set a root
> > > password.
> >
> > There is. I once pulled a little stunt where a friend of mine
> > went to the toilet and I quickly rebooted his machine into
> > rescue mode and used that to set a root password and create a
> > backdoor account.
>
> Who needs enemies with friends like you ...
He needed that - he'd fallen for the Ubuntu "no root pwd is more
secure than having one" bullshit. :-P
<snip>
> IMHO, if your "protection" merely makes it slightly more difficult
> to attack the machine, it is only security theatre but no real
> security.
As I said, for proper security you need a boot password and to make
sure there's no way of booting off external media.
The real problem is that in our university environment, laptops
rarely get stolen (somebody you trust can usually keep an eye on your
machine when you e.g. have to go to the toilet) an there are some
safeguards in place preventing unauthorised access from the network -
together with a little firewall that only leaves physical access as
an attack vector.
Having no root password means you only need a couple of seconds of
actual access to the machine to give yourself root access, especially
if ssh is already installed.
With the simple measure of setting a root password, you draw this
attack out a little. And as time is a big factor here, it *helps*,
especially if it means the difference between your friend noticing
the attacker or not.
Obviously it doesn't help a whole lot on it's own, but as a part of
the little bundle I described above, it'll do a lot in most
situations.
> If you want to protect your machine from your geek
> "friends" or other determined attackers, an encrypted file system
> might help.
Nah, too much trouble and the only thing it really does is protect
your data when the machine is stolen. Also, getting your average user
to encrypt their hard drive (including the root partition) is a bit
tough. Telling them how to set their root password, change the boot
order in the BIOS and set BIOS and GRUB passwords is a lot easier and
will each contribute a little to the overall security. And they
combine well to protect against the physical attack vector.
That said, it kind of depends what the attacker is "determined" to do
- get your data or get an account on the system for various purposes.
Protecting data is as simple as using gpg. The rest is a lot harder
to guard against.
> > > If you need a root shell, you can use e.g.
> > >
> > > sudo su
> > >
> > > instead.
> >
> > I prefer "sudo su -" as that will set a proper root environment
> > and not leave stuff like $HOME pointing to your home directory,
> > mucking up permissions on settings files.
>
> Sorry, I don't see your point - "sudo su" sets $HOME to /root
> which is the proper value for a root shell.
I confused it with simple sudo usage. For more detail on the
advantage of adding the dash, see man su. The short version is that
it is closer to dropping to a tty and logging in from there.
--Reinhold
More information about the kubuntu-users
mailing list