Mainpage
Searchform
History
Versions
Categories
Contents
Deutsch
root
may not be directly reachable on the
netroot
account should not be reachable directly from other
machines via telnet
, rsh
and rlogin
.
Reason:
The root
account could otherwise easily be broken into
with help of crack
on the net.
However, when a potential agressor must first log himself in as a
normal user to be able to break into, two more hurdles are to be taken.
First crack must be installed on the system and second an
attack from inside must be quickly detected.
(Crack
is a programme for password testing and
cracking). Besides it happens, that the
password in telnet goes at least once decoded on the Ethernet. With
the corresponding network programmes other systems in Ethernet can
filter such data more or less easily out of the TCP/IP
packages.
This security step is also valid for NFS exported partitions: Set
always explicitly the option root_squash
in
/etc/exports
. You will find more about it on the manual
page exports
.
If you still allow root
on others rather than the local
terminal, please refer to the manual page login(5)
(Call:
man 5 login
).
.
root
's shell variable PATH
should not contain any `.
', neither in
front of nor behind. The point `.
' is an
abreviation of the directory just used and the shell scripts and
programmes contained in it. Such programmes should be explicitly called
by typing ./
in front.
Reason:
When a normal user creates, for example, a script with the name
ls
containing
#!/bin/sh cd / rm -rf *in
/tmp/
or in his/her HOME
directory,
root
can erase itself the complete system
unintentionally. As well when .
should be behind in the shell variable PATH
, one
is not still safe from typing errors and calls a local programme
unintentionally (instead of ls
, la
, for
example).
One would describe appropiately this danger as trojan
horse.
root
root
, unless important jobs
at the system itself must be executed by him.
Reason:
The danger of an error is too big and root
can do
everything, really everything, even the unwanted
. Under this condition unwanted orders are consequently executed
without warning.
A original quote from a client, that should serve as warning:
... now an accident happened to me, because I've worked as root. With the hope of getting any sound, I have typed "ls > /dev/hdb2" instead of "/dev/dsp" by mistake - unfortunately, /dev/hb2 is my root partition.Remark: /dev/hb2 was his root partition. But, along with malicious glee, we have the deepest sympathy too ;-)
See also:
Keywords: ROOT, POINT, PATH, SECURITY, LOGIN, RSH, TELNET, NFS
Feedback welcome: Send Mail to werner@suse.de (Please give the following subject: SDB-perms
)
Mainpage
Searchform
History
Versions
Categories
Contents
Deutsch