Asking a user for the root password and executing root only c ommands...

Bengt Richter bokr at oz.net
Thu Nov 7 14:29:33 EST 2002 

On Thu, 7 Nov 2002 18:01 +0000 (GMT Standard Time), mark.charsley at REMOVE_THIS.radioscape.com (Mark Charsley) wrote:

>In article <aq9vpp$gd7$0 at 216.39.172.122>, bokr at oz.net (Bengt Richter) 
>wrote:
>
>> >> but by default any doorknob rattler could kick it off with 
>> > ctrl-alt-del
>> >> without being asked for a password. Not a cool default config IMO ;-/
>> >
>> >Thus providing anyone with accesss to the console's power switch a 
>> more >computer-friendly way of rebooting a locked-up machine than 
>> power-cycling >it.
>> It's a bit too friendly for my taste ;-) I accidentally did it too many 
>> times,
>> because I am used to the the keying pattern to get past the locking 
>> screensaver
>> on my NT box, so when I turn to the linux box I just do the same if I 
>> am at all
>> distracted.
>
>Ah I thought you were arguing that the three fingered salute resetting a 
>linux box was a security hole.
Well, yes, that too. If it's not, why would you watch 8-year-old visitors
more carefully near your linux keyboard than your NT keyboard ;-)
It's not that they can get root so much as the denial-of-service aspect.
(Imagine that the box is just about to finish something that runs several hours ;-)

Even if you don't have a lock on the physical power and reset, the social
threshold for poking power/reset buttons is a little higher than fingering
the keyboard.

>
>IMO it's at least as valid to complain about win32 changing the meaning of 
>C-A-D from "reset the machine" as it is to complain about linux 
>maintaining that meaning.
>
I disagree on that. I think an access-controlled machine needs a secure attention
signal to start an unspoofable authentic login, and Ctrl-Alt-Del was the logical
choice for PCs. I think a locking screensaver timeout is a good idea. And after
the timeout, I don't think you should be able to see what was on the screen before
without logging in (which should require an SAS), never mind hitting Alt-Fx and
getting a root session if someone lapsed and walked away from that.

But in any case, my biggest beef is with loose-access defaults. I don't think it
should be possible to get past an install with insecure settings unless you chose them
explicitly. However you want to choose, though, that's up to you.

A reset is like rm -f on the current dynamic state of the machine. I think
it's inconsistent to allow that by default from the keyboard without root, when you
can't do it otherwise from the keyboard. Physical access to power/reset is a separate
issue to my mind.

Regards,
Bengt Richter

More information about the Python-list mailing list