Re: [SLUG] WAS about Linux virii

From: Paul M Foster (paulf@quillandmouse.com)
Date: Thu Feb 14 2002 - 00:25:31 EST


On Wed, Feb 13, 2002 at 07:31:05PM -0500, Ronald KA4INM Youvan wrote:

> Someone said:
>
> > . . . don't run as root if you can help it.
>
>
> snip
>
>
> I can't think of why logging in as root is a security problem,
> if you are logged in as `Joe', that doesn't prevent a Trojan
> horse from sending your password to a guy named Lu (in China)
> that tenets into an open port and logs in as root and E-mail
> your private thoughts to him. (or what ever)
>
> What has bothered me from my start is:
> I know the name of the super user on your box, everyone
> does.
> That seems to me to make security twice as hard as it needs to be.
>
> Does anyone know of a way to have a name other than `root'
> being the super user? (In LINUX.)
> (I would also want to hide his directory among all `normal' users)
>

It's not the name of the superuser that's the problem. _Normally_
you'd have to know the root password to do any damage. There are two
reasons why running as root is bad.

First, as root, carelessly executed commands can wreck your system
beyond repair. I can demonstrate this on any machine someone cares to
bring to a meeting. ;-}

Second, if you're surfing as root and you get hacked, they're coming
into your machine via a pipe with root on your end. Theoretically, they
have the same privileges you do. As opposed to surfing as Joe L. User,
who can really only mess things up in his and the tmp directory.

Now, you're right-- if someone manages to download a rootkit onto your
machine, you're screwed either way. But that's normally a different
kind of exploit. That's a buffer overflow or some other similar type of
exploit. On the other hand, most of the exploits like that take
advantage of services that are visible to the internet, and which often
run as root or have root privileges to some extent.

Also, many of the exploits you read about are only potential exploits
(no logged instances of them actually occurring), and exist in programs
which might be run on your network by supposedly "trusted" users. That
is, they aren't exploits which you'd normally be the victim of from
outside your network, but from _inside_ your network. If someone inside
your network is running one of these programs as Joe L. User, they might
not be able to do much damage. But if they hack you while running as
root, they can do the same thing to your system that I can do at a
prompt-- ruin it.

(I am _not_ a security expert, so if I've gotten some of this wrong,
feel free to correct me.)

Paul



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:05:24 EDT