I'd recommend not doing this.

IWETHEY v. 0.3.0 | TODO

1,095 registered users | 1 active user | 0 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

Post #204,670

Picture of pwhysall

4/25/05 7:26:40 AM

I'd recommend not doing this.

And here's why.

If root has a password, and you've not disabled remote root logins, and you haven't disabled any crashy/buggy services that run as root and which could be compromised to get a shell, then an attacker doesn't even have to think about the username and can move swiftly on to the password part of things.

If you have a sensible username, then the attacker has to go through the hoops of finding a username to compromise, hoping it's in /etc/sudoers, and then hoping also that he can crack the password.

There's no such thing as total security, obviously (well, there is, but it involves your computer being in a locked, booby-trapped box at the bottom of the Marianas trench with a sign saying "Beware of the tiger" on the door[0]) but it seems silly to me to not use an obvious security feature like this.

Other benefits of using the sudo approach include not inadvertently still being root when you're rather not be (people like me who "sudo su" deserve everything they get) and also only having the one password to remember so, therefore you can make it much stronger.

It's horses for courses, naturally. Some people really find the sudo method extremely intrusive. Personally, I like it.

[0]With apologies to DNA

Peter
[link|http://www.ubuntulinux.org|Ubuntu Linux]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!

Post #204,679

4/25/05 8:21:34 AM

A good point

Hadn't thought about it that way.

It's sounds good enough to me that I may set this up myself on my existing systems - I'll leave my day-to-day user account out of it, though. No, I don't trust my 'fumble fingers', and I detest the 'oh-shit-second'...

[link|http://www.runningworks.com|

]

Imric's Tips for Living

Paranoia Is a Survival Trait
Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised...
Even though everyone is out to get you, it doesn't matter unless you let them win.

Nothing is as simple as it seems in the beginning,
As hopeless as it seems in the middle,
Or as finished as it seems in the end.

Post #204,680

Picture of pwhysall

4/25/05 8:23:41 AM

sudo is really powerful

You can restrict the activities of users in many ways.

You could give yourself, say, the ability to change other users' passwords but not to run dpkg, for example.

Read the man page and documentation. The syntax of /etc/sudoers takes some getting used to, so be warned :-)

Peter
[link|http://www.ubuntulinux.org|Ubuntu Linux]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!

Ubuntu question... - (cwbrenn) - (11) - April 24, 2005, 05:26:19 PM EDT

My guess is that it assumes a primary user. - (a6l6e6x) - (1) - April 24, 2005, 05:54:28 PM EDT

Yeah, but - (cwbrenn) - April 24, 2005, 06:25:31 PM EDT

Main reason: Ideaology - (folkert) - (3) - April 24, 2005, 05:59:03 PM EDT

Security feature? - (cwbrenn) - (2) - April 24, 2005, 06:24:40 PM EDT

Here's what it does... - (Yendor) - (1) - April 24, 2005, 06:52:17 PM EDT

ohhhhh... thanks for explaining that - (cwbrenn) - April 24, 2005, 06:59:05 PM EDT

Re: Ubuntu question... - (dws) - (3) - April 24, 2005, 08:22:47 PM EDT

I'd recommend not doing this. - (pwhysall) - (2) - April 25, 2005, 07:26:40 AM EDT

A good point - (imric) - (1) - April 25, 2005, 08:21:34 AM EDT

sudo is really powerful - (pwhysall) - April 25, 2005, 08:23:41 AM EDT

Now that I've figured out that Sudo thing... - (cwbrenn) - April 25, 2005, 10:44:42 AM EDT

How much more blacker could this album cover get? None more blacker.
86 ms