Why should non-root users have a password?
If I have a firewall, and I'm the only person who uses my computer, do I really have to have a password on my non-root account? I know the answer is yes but -- why? They can't do anything to my machine anyway, except use it. And due to the firewall that never happens anyway. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
On Sun, 2003-12-07 at 19:28, Tom wrote: If I have a firewall, and I'm the only person who uses my computer, do I really have to have a password on my non-root account? I know the answer is yes but -- why? They can't do anything to my machine anyway, except use it. And due to the firewall that never happens anyway. You *hope* that never happens; but if it does, the password is an extra protection. And as we have recently seen, access to a non-root account can be a springboard to root access. It is foolish to rely on one particular defence and bet all your security on that. Did you ever read about the Maginot Line? Since your machine is connected to the net, you really have a public duty to keep it properly secure, to minimise the risk of its being taken over for sending out DOSs, viruses, spam or warez. A user password could also be a protection against nosy girlfriends... -- Oliver Elphick[EMAIL PROTECTED] Isle of Wight, UK http://www.lfix.co.uk/oliver GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C And if thy hand offend thee, cut it off; it is better for thee to enter into life maimed, than having two hands to go into hell, into the fire that never shall be quenched.Mark 9:43 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
If I have a firewall, and I'm the only person who uses my computer, do I really have to have a password on my non-root account? I know the answer is yes but -- why? They can't do anything to my machine anyway, except use it. And due to the firewall that never happens anyway. There is no such thing as a totally secure machine - including your firewall. Anyone who tells you otherwise is trying to sell you something. So the question you need to be asking yourself is: If someone cracks my firewall - what could they (mis)use my computer for? Your firewall presumably allows outbound traffic so: How much spam could they send before your ISP detects it and shuts you down? How many virus' do you want them to send? Do I need to go on? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
Tom wrote: If I have a firewall, and I'm the only person who uses my computer, do I really have to have a password on my non-root account? I know the answer is yes but -- why? They can't do anything to my machine anyway, except use it. And due to the firewall that never happens anyway. What happens if somebody soon exploits some so-far-unknown weakness in your firewall or your kernel setup or your various running services? You password will be there as another line of defense -- provided it is a good password. If you are connected to the net it would not wise to disable passwords -- more so if you are connected through a high speed modem. -HS -- (Remove all underscores,_if any_, from my email address to get the correct one. Apologies for the inconvenience, but this is to reduce spam.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
On Sun, 2003-12-07 at 13:59, Oliver Elphick wrote: --snip-- A user password could also be a protection against nosy girlfriends... At least until she says Why won't you tell me your password, don't you trust me? in which case it's about as easy to answer 'correctly' as Does this make me look fat?. :) -- Alex Malinovich Support Free Software, delete your Windows partition TODAY! Encrypted mail preferred. You can get my public key from any of the pgp.net keyservers. Key ID: A6D24837 signature.asc Description: This is a digitally signed message part
Re: Why should non-root users have a password?
Tom [EMAIL PROTECTED] writes: If I have a firewall, and I'm the only person who uses my computer, do I really have to have a password on my non-root account? I know the answer is yes but -- why? They can't do anything to my machine anyway, except use it. And due to the firewall that never happens anyway. What I do on my machines is to have a password but to configure GDM and login not to require a password for local logins. So that anyone sitting at my computer could log in without a password, but they couldn't do that over ssh. Bijan -- Bijan Soleymani [EMAIL PROTECTED] http://www.crasseux.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
On Sunday 07 December 2003 01:28 pm, Tom wrote: If I have a firewall, and I'm the only person who uses my computer, do I really have to have a password on my non-root account? I know the answer is yes but -- why? They can't do anything to my machine anyway, except use it. And due to the firewall that never happens anyway. If you really know that, then the answer is no, you don't need it. But for those of us who are paranoid enough to think that our firewall might not be perfect or that someone might try to access our computer from the console, there are reasons. The first step in most root exploits is to get normal user access, and so it's helpful if that's not too easy. *That* is why you don't want just anybody to use your system. Cheers, Terry -- Terry Hancock ( hancock at anansispaceworks.com ) Anansi Spaceworks http://www.anansispaceworks.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
On Sun, 7 Dec 2003 11:28:41 -0800, Tom [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]: If I have a firewall, and I'm the only person who uses my computer, do I really have to have a password on my non-root account? I know the answer is yes but -- why? They can't do anything to my machine anyway, except use it. And due to the firewall that never happens anyway. ..so, after sneaking past your firewall, do they need root to get your passwd-less account ready for the root-kit? ;-) ..and, with a good root-kit in place etc, how do you explain those funny pictures to the judge, running linux and with a firewall and all? ;-) ..be paranoid _enough_. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
On Sun, Dec 07, 2003 at 09:48:00PM +0100, Arnt Karlsen wrote: ..be paranoid _enough_. Yeah, thanks everybody. Every once I in a while I let the fact that I never seem to get hacked confuse me... I never ran Virus software on my Home PC and I never got infected, except once: working at Microsoft, I installed Win2K Pro at home and VPN'd into CorpNet to put SP1 on it. I didn't get Nimda from the Internet -- I got it from Microsoft's Corpnet Everybody runs BlackIce because everybody's box at CorpNet gets hundreds of Nimdas and Slammers per day. Ain't that funny? But really, I'm not a dumb ass: I *never* got hacked at home. I'm not a dummy, I know, I never got hit. So I ferget sometime... Bijan's suggestion was good, I may try it... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
On Sun, Dec 07, 2003 at 11:28:41AM -0800, Tom wrote: If I have a firewall, and I'm the only person who uses my computer, do I really have to have a password on my non-root account? I know the answer is yes but -- why? They can't do anything to my machine anyway, except use it. And due to the firewall that never happens anyway. The firewall probably mostly protects you computer although most probably it can be broken through if someone really wants to (the old saying that if there is a door then there is a way through it). As for the user password. Just as an example look at the break in into the Debian system. This was done using a regular user's password that was sniffed on another computer and then a local buffer overflow (there is usually at list one floating around) was used to get the root password. Thus, if someone who knows what s/he is doing gets through you firewall then they most probably can get full root privilege. Its all a question of convenience versus how secure you want to feel. Another option you can use is to enable password less login in gdm (probably others can do this too). Thus a person would need physical access to the computer to actually log in without a password. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
On Sun, 07 Dec 2003 14:07:19 -0600, Alex Malinovich wrote: On Sun, 2003-12-07 at 13:59, Oliver Elphick wrote: --snip-- A user password could also be a protection against nosy girlfriends... At least until she says Why won't you tell me your password, don't you trust me? in which case it's about as easy to answer 'correctly' as Does this make me look fat?. :) Answer: I trust you so much that, instead of giving you my password, I'll give you your *very own* login, my sweetheart. -- paul Don't be so humble. You're not that great. (Golda Meir) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Dec 07, 2003 at 11:28:41AM -0800, Tom wrote: If I have a firewall, and I'm the only person who uses my computer, do I really have to have a password on my non-root account? YES! Firewalls are not the end-all, be-all in security. Security is not a product, it's a process. I know the answer is yes but -- why? Because it's easier to compromise any system once you have your foot in the door. This is also why your root password should not be the same as any normal user passwords. They can't do anything to my machine anyway, except use it. Really? Apparently you don't follow the news... http://www.debian.org/News/2003/20031121 - -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD4DBQE/08/mUzgNqloQMwcRAtPuAKDY4UrPRO1HraL8yapZACzuthUozgCY+0ff U2NzIgw+C+TyyAlsEP33oA== =EIhD -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Dec 07, 2003 at 02:07:19PM -0600, Alex Malinovich wrote: At least until she says Why won't you tell me your password, don't you trust me? in which case it's about as easy to answer 'correctly' as Does this make me look fat?. :) I had a girlfriend who said that. I handled it smoothly: I trust you with an account on my system, lemme set one up for you real quick... - -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/09DxUzgNqloQMwcRAuFzAJ4mIZButWsCxLbQNgqlwbyYUwIz5wCg3Xp6 nnlPW4GOC+e5YbhVXgA3Uzc= =j9ZU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Dec 07, 2003 at 01:01:55PM -0800, Tom wrote: But really, I'm not a dumb ass: I *never* got hacked at home. Of course not. I though I think the term you're looking for is cracked. http://ursine.ca/jargon/html/C/crack.html - -- .''`. Paul Johnson [EMAIL PROTECTED] : :' : `. `'` proud Debian admin and user `- Debian - when you have better things to do than fix a system -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/09NVUzgNqloQMwcRAsgtAJ9JpBriDC4dRhZrB8v8CFz7rxVV5QCfVXAd qtCiGOGsdtwtRod4Png13pE= =VbVZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why should non-root users have a password?
On Sun, 07 Dec 2003 at 21:36 GMT, Paul Morgan penned: On Sun, 07 Dec 2003 14:07:19 -0600, Alex Malinovich wrote: On Sun, 2003-12-07 at 13:59, Oliver Elphick wrote: --snip-- A user password could also be a protection against nosy girlfriends... At least until she says Why won't you tell me your password, don't you trust me? in which case it's about as easy to answer 'correctly' as Does this make me look fat?. :) Answer: I trust you so much that, instead of giving you my password, I'll give you your *very own* login, my sweetheart. Agreed! My sweetheart and I each run our own servers, and while we each have accounts on the other's machine, we sure don't share passwords. At one point, we discussed consolidating to one server, but I just wasn't willing to live in a world where I didn't have absolute control ... and he tends to unnecessarily build things from source, making package maintenance annoying. -- monique -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
