[vox-tech] User with root privileges
Peter Jay Salzman
vox-tech@lists.lugod.org
Mon, 24 Nov 2003 04:58:49 -0800
On Mon 24 Nov 03, 2:39 AM, Michael Wenk <wenk@praxis.homedns.org> said:
> On Sunday 23 November 2003 03:21 am, Peter Jay Salzman wrote: > > On Sun 23 Nov 03, 12:53 AM, Michael Wenk <wenk@praxis.homedns.org> said:
> > > On Saturday 22 November 2003 06:51 pm, Peter Jay Salzman wrote:
> > > > > > but never mind that. let's talk about something else.
> > > > > >
> > > > > > so we have a guy who presumably owns a solaris box. he wants to
> > > > > > install something. i forget what it was. oracle? anyway. he
> > > > > > wants to do it from an account named "joeschmo", rather than
> > > > > > "root".
> > > > > >
> > > > > > do you really not see anything wrong with that?
> > > > > >
> > > > > > the only person who should be doing that is a hacker.
> > > > >
> > > > > Or an oracle DBA/sysadmin... oracle is not installed as root,
> > > > > although there are 2-3 parts that require you to run a script as root
> > > > > to do somethings.
> > > >
> > > > and you would change a user's UID or GID to do this?
> > >
> > > You are not making sense. You said above that you had a guy that wanted
> > > to install oracle from an account other than root(which is the way oracle
> > > is supposed to be installed.) So you're dinging me for that? Have you
> > > ever done oracle installs? Am I missing something here?
> >
> > yes, mike. you're missing something here: the whole point.
> >
> > the whole point of this conversation is that the guy changed the UID/GID
> > of a user level account to "0" just so he didn't have to change to root
> > when he types "make install".
> >
> > get it yet? i'll try to spell it out some more.
> >
> > he wants to edit /etc/passwd and change the 3rd and 4th fields to "0" to
> > bypass running the install scripts as root. which is STUPID.
> >
> > so then i say:
> >
> > the only person who edit's /etc/passwd and changes the 3rd and 4th
> > field of a user account to zero is a hacker (or a clueless newbie).
> >
> > then you say:
> >
> > or a oracle DBA/sysadmin
> >
> >
> >
> > in case you're being really dense, let me hold your hand some more.
> >
> > 1. i said only hackers and newbies edit /etc/passwd to give user
> > accounts superuser privileges so they don't have to be root to install
> > software.
>
> Well for the longest time I had my passwd entry UIDing my user acct to UID 0.
> The only reason I changed the way I did it was because I mated my home system
> to a work network, and that forced me to do so.
>
> > 2. then you said "oracle DBA/sysadmins do too".
>
> Actually, the way you put it was quite unclear:
>
> "and you would change a user's UID or GID to do this?"
ok, so now you understand.
the way i put it was clear enough if you had read the previous message.
you jumped into a thread without reading the previous posts: everyone
else (except you) understood because they did read the previous posts.
> > you have to laugh because i value my system?!?
> >
> > that is one of most callous and non-professional things i've ever heard
> > anybody claiming to be "system administrator" say.
>
> Funny that you are calling me unprofessional. That is a good one. Maybe you
> ought to act the way
>
> And I am laughing because you are missing the obvious. I wonder how good the
> lock is on your door? Or the door itself?
who the hell cares?
are you saying the chances of home invasion are SO much greater than
getting hacked that you're laughing because i'm worried about getting
hacked into?
that's the most stupid thing i've ever heard.
1. if someone breaks into my house, my computer is the LAST thing i'm
going to worry about.
2. if someone breaks into my house, i doubt they're going to steal my
computer.
boy, are you clueless!
> If someone wants your data bad
> enough, its quite trivial to break in and steal the system itself. Remember
> kids, physical security is much more important than data security. And
> there's the added benefit that if your system is physically stolen, you
> really are deprived of its use. So then you're screwed more ways than one.
most of the people who hack into computers are looking to install DoS
servers, IRC servers, poke around people's files and collect accounts to
trade with other hackers. NOT to steal hard drive contents. but you
seem to laugh at this.
that's the main danger of not caring about the security of a home system
on DSL. we don't give a flying fuck about physical security. this
isn't corporate. we care about people breaking into our systems and
making them a launch pad for hacking other systems, spam and kiddie
porn. but you seem to laugh at this.
you seem to think physical security is the end all and be all and have
NO concept of what 99% of all hackers want. you laugh at people who
worry about their home systems getting hacked into because you expect
home invasion to vastly outweigh getting hacked into. you also think
that someone who breaks into our house is going to steal our computer.
hah.
you are the MOST clueless system administrator i've ever met. it's hard
to believe you even call yourself one.
pete