On Thu, May 15, 2008 at 12:53:06AM +0000, Jussi Peltola wrote: > On Wed, May 14, 2008 at 05:30:18PM -0700, Ben Calvert wrote: > > On May 14, 2008, at 5:22 PM, Darrin Chandler wrote: > > >On Thu, May 15, 2008 at 01:45:51AM +0200, raven wrote: > > do people actually allow remote root access ? for more than 5 minutes > > after install? > > Too many people still use SSH public keys for root in automated scripts. > Besides, cracking your normal user account can result in just as bad > consequences as cracking the root account, especially if you su or sudo > to root... >
Remember that in linux/debian, files don't inheret the ownership of the directory into which they are placed. Therefore, e.g for copying backup files from one box to another with rsync, if a normal user does it (assuming that user has write permission to, e.g. on debian /var/local/backup, then the files end up owned by that user. The user can't change the ownership to root. This may not seem like a huge problem for e.g. tarballs that protect the ownership and permissions of files but for regular files, eg copies from /etc, then its an issue. Also, during restore, if that uid is either not the same user or no user at all, things can get interesting. Better to have root have ssh access to the backup repository box for rsyncing the backups. Root has to do the backups since debian packages don't come set up for "operator" to be able to read otherwise unreadable files. Doug.
