James G. Sack (jim) wrote:
Perhaps this thread is a good place to echo a well-known security
mantra. Start with nothing allowed, then explicitly open up only those
capabilities you need.
If you have no remote access (eg ssh, vnc, ftp, telnet(!),..) then you
don't need to worry about differentiating non-local from local users.
Yes, not too many moons ago, I had a lot of activity on my DSL for no
good reason. Eventually in the thread, someone mentioned sshd (possibly
among other things). I discovered that I had it running (IIRC), and
shut it down. Instantly, the chinese IP address ceased its traffic on
my eth0.
But I have forgotten how to check for those things to see if they are
running. Services maybe? I don't even see ftp in the services
listing. Son of a gun, sshd is running!!! I thought I took care of
that. Well I just now did a stop, unchecked the checkbox, and saved.
Hopefully, that takes care of that. I don't see telnet nor vnc in the
list either. Hmmm, how can I be sure... Wow, sometimes it can take a
lot of trial and error in the man pages to find what you want (assuming
this is even what I wanted):
$ ls /etc/rc.d/rc5.d/
K01apt K71lirc S08iptables S28autofs
K01NetworkManager K72wpa_supplicant S09isdn S44acpid
K01smartd K73winbind S10network S50bluetooth
K01smolt K73ypbind S11auditd S56xinetd
K05saslauthd K74lm_sensors S12restorecond S58ntpd
K09vdr K74nscd S13irqbalance S80sendmail
K10psacct K76openvpn S13rpcbind S88nasd
K15gpm K84btseed S14nfslock S90ConsoleKit
K15httpd K84bttrack S15mdmonitor S90crond
K20nfs K85racoon S18rpcidmapd S95atd
K24irda K87multipathd S19rpcgssd S96avahi-daemon
K25sshd K89dund S25fuse S96readahead_later
K35backuppc K89netplugd S25netfs S97yum-updatesd
K36lisa K89pand S25pcscd S98cups
K45arpwatch K89rdisc S26readahead_early S98haldaemon
K50netconsole K91capi S26rsyslog S98wine
K50snmpd S05kudzu S26udev-post S99anacron
K50snmptrapd S06cpuspeed S27messagebus S99firstboot
K69rpcsvcgssd S08ip6tables S27setroubleshoot S99local
I don't think my PC even has BlueTooth capability. Why is that daemon
running?
And ntpd, is that akin to ftp? Nope, false alarm. (That keeps my clock
current.)
I'm assuming that isdn is needed by my DSL?
I don't know what half of those things are. Does anyone see anything I
should be concerned about?
Thus, your sudo question becomes simplified, I think. It's still good
you asked though, because it gave (Greg, I think) a good chance to
explain what those host fields are for.
Good thing too. I was thoroughly confused about them (now, only
moderately so).
And BTW, what do you want to allow your user to do, anyway? It did sound
like you trusted him/her implicitly, but didn't trust remote access
security mechanisms, or maybe didn't trust your users' ability to do
remote access securely?
I would like him to be able to do lots of things, preferably everything
that "su -" lets him do. Would that be a bad thing?
rafael is me, so yes, I trust him implicitly (on most days anyway).
It's like you said just prior: I don't trust remote access security
mechanisms because I don't _need_ to trust them. I never do remote
access. I wish to set up remote access for myself to my friend's
computer, but that is another thread.
And finally, yes, you are correct. I don't trust rafael's ability to do
remote access securely since he has never done it. If I'm going to
learn that, I would prefer it be in an environment like an installfest.
--
Ralph
--------------------
From a strictly economic point of view, buying gold in a major
inflation and holding it probably presents the least risk of capital
loss of any investment or speculation.
--Henry Hazlitt
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
