Iain M Conochie writes: > > I got it about 20 years ago. Is it enough? > Mayeb - just maybe ;)
Indeed, never be sure! :) > > You say it. It is not bullet proof. The bullet has already pierced the > > target once. Therefore it may happen again. > May - but not assured. Indeed. You usually prepare for bad things hoping they'll never arrive. > Then I guess i should have stated passphrase for your encryption, not > password for access to the machine. A good passphrase for the encription will slow down (even halt if you are lucky) an attacker that has complete control of your machine, while no password will protect a computer that is physically in the hands of the enemy. Is that a statement we can agree ? BTW, it's my point of view. > > I think that the security problems that sudo could pose with the > > default configuration could really be "useful" in a situation where > > you need a large number of bots. What could trigger this? a large user > > base with a majority of non-tech aware users. > > Wait - so by default you mean having a NOPASSWD entry or have an entry > that allows certain users to enter a password when using sudo and then > having a time where they do not need to? - The reason I ask is that I > have never seen a NOPASSWD entry be default. No, having one user with ALL=(ALL) ALL by default AND having credential caching. The problem is not strictly technical. There is no technical difference in guarding an account with id 0:0 that you can access by direct logon or having root unreachable by logon and one user that can become root via su or sudo. The problem is in the usage of the account, it's a psychological one: your everyday account is your everyday account, and using it with strict security - as appropriate for an administrative account - could be what someone labels "a PITA". And this relaxed behaviour may lead to security breaches. Credential cache hijacking in sudo is one of the paths an attacker may use: the change of the timestamp was a trivial one to find and has been fixed; I fear that subtler attacks may be possible. And in these case is not that sudo is misbehaving. My opinion is that the poor program as been abused. -- /\ ___ Ubuntu: ancient /___/\_|_|\_|__|___Gian Uberto Lauri_____ African word //--\| | \| | Integralista GNUslamico meaning "I can \/ coltivatore diretto di software not install giĆ sistemista a tempo (altrui) perso... Debian" Warning: gnome-config-daemon considered more dangerous than GOTO -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/21161.41330.271240.646...@mail.eng.it