On Being root....
Ewan Mac Mahon
ewan at macmahon.me.uk
Sun Mar 5 22:26:38 UTC 2006
On Sun, Mar 05, 2006 at 12:41:41PM -0500, Chris Peterman wrote:
> Just a random thought on the subject...
> The Sudo model is better for Desktops, because it's easier to remember
> one long cryptic password than TWO long cryptic passwords.
> For Servers however...the Duel Account (Normal and Root User) Model is
> better, assuming you disallow Remote Root logins. Why? Because if the
> cracker busts the long cryptic user password, he still has to bust the
> (perhaps) longer, more cryptic Root Password to do more damage.
As a rule passwords over a certain strenth are pretty much uncrackable;
for practical purposes it's usually easier to escallate privelleges by
means of buggy software running as root.
Unlike desktops server systems commonly have several admins, with a
single root account everyone has to know the password and there's no way
to tell after the event who did what. With sudo each user is handled
separately and they're actions are logged separately. If you want to
remove one person's admin rights with the old model you have to change
the password and tell everone else (securely) about the new one. With
sudo you just take them out of the config and carry on.
> Also Servers are (I would think) targetted more than Desktops :P
I've got nothing to back this up, but my intuition is the opposite; a
server is likely to be looked after by a more or less clued up admin,
have proper firewalling etc, a desktop less so. If you look at the
example of Windows systems the most commonly cracked target is an
unpatched domestic machine on a broadband connection, not a server. I
can't see any reason why that would be different for Linux systems
(beyond simply fewer of them getting done) - I know I see enough ssh
dictionary attacks on my home ADSL link.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: Digital signature
More information about the ubuntu-users