On Sat, Mar 08, 2003 at 08:07:51PM +0100, Christian Jaeger wrote: > Isn't it the same as for any user account? If that user (who maybe > shares his account with other people) wants his home dir private, he > can do so. Or create a subdir which is private(*). I just see no
Typical user accounts are not the same as the root user unless you go to selinux where you have to assume the admin role to actually do anything. Since I'm not running selinux on any production servers (yet) I prefer to put as severe a wall as I can between luser and root as I possibly can. The friendliness of privs depends very much on what it is you are doing. If the machine happens to be a firewall protecting a LAN with proprietary data, or a web server with many large web sites, the criteria are rather different. As I said, I use /root more as the common home for the admin group. Not necessarily security important things there all the time, but sometimes transiently there is. Security means turn everything off until the machine is totally unusable, and then turn them back on until you've got precisely what is required for the purpose and no more. Life will get easier when selinux goes more main stream as these things will be easily handled via policy rather than file owner/mode settings. -- ------------------------------------------------------ IN MY NAME: Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org ------------------------------------------------------