[vox-tech] User with root privileges

Michael Wenk vox-tech@lists.lugod.org
Mon, 24 Nov 2003 19:06:59 -0800


On Monday 24 November 2003 04:58 am, Peter Jay Salzman wrote:
> On Mon 24 Nov 03,  2:39 AM, Michael Wenk <wenk@praxis.homedns.org> said:
> > On Sunday 23 November 2003 03:21 am, Peter Jay Salzman wrote: > > On Sun 
23 Nov 03, 12:53 AM, Michael Wenk <wenk@praxis.homedns.org> said:
> > > > On Saturday 22 November 2003 06:51 pm, Peter Jay Salzman wrote:
> > > > > > > but never mind that.  let's talk about something else.
> > > > > > >
> > > > > > > so we have a guy who presumably owns a solaris box.  he wants
> > > > > > > to install something.  i forget what it was.  oracle?  anyway. 
> > > > > > > he wants to do it from an account named "joeschmo", rather than
> > > > > > > "root".
> > > > > > >
> > > > > > > do you really not see anything wrong with that?
> > > > > > >
> > > > > > > the only person who should be doing that is a hacker.
> > > > > >
> > > > > > Or an oracle DBA/sysadmin... oracle is not installed as root,
> > > > > > although there are 2-3 parts that require you to run a script as
> > > > > > root to do somethings.
> > > > >
> > > > > and you would change a user's UID or GID to do this?
> > > >
> > > > You are not making sense.  You said above that you had a guy that
> > > > wanted to install oracle from an account other than root(which is the
> > > > way oracle is supposed to be installed.)   So you're dinging me for
> > > > that?  Have you ever done oracle installs?  Am I missing something
> > > > here?
> > >
> > > yes, mike.  you're missing something here: the whole point.
> > >
> > > the whole point of this conversation is that the guy changed the
> > > UID/GID of a user level account to "0" just so he didn't have to change
> > > to root when he types "make install".
> > >
> > > get it yet?  i'll try to spell it out some more.
> > >
> > > he wants to edit /etc/passwd and change the 3rd and 4th fields to "0"
> > > to bypass running the install scripts as root.  which is STUPID.
> > >
> > > so then i say:
> > >
> > >    the only person who edit's /etc/passwd and changes the 3rd and 4th
> > >    field of a user account to zero is a hacker (or a clueless newbie).
> > >
> > > then you say:
> > >
> > >    or a oracle DBA/sysadmin
> > >
> > >
> > >
> > > in case you're being really dense, let me hold your hand some more.
> > >
> > > 1. i said only hackers and newbies edit /etc/passwd to give user
> > >    accounts superuser privileges so they don't have to be root to
> > > install software.
> >
> > Well for the longest time I had my passwd entry UIDing my user acct to
> > UID 0. The only reason I changed the way I did it was because I mated my
> > home system to a work network, and that forced me to do so.
> >
> > > 2. then you said "oracle DBA/sysadmins do too".
> >
> > Actually, the way you put it was quite unclear:
> >
> > "and you would change a user's UID or GID to do this?"
>
> ok, so now you understand.
>
> the way i put it was clear enough if you had read the previous message.
> you jumped into a thread without reading the previous posts: everyone
> else (except you) understood because they did read the previous posts.

Actually I read every post before I responded to yours.  Yours made utterly no 
sense in the context i was in at the time. 

>
> > > you have to laugh because i value my system?!?
> > >
> > > that is one of most callous and non-professional things i've ever heard
> > > anybody claiming to be "system administrator" say.
> >
> > Funny that you are calling me unprofessional.  That is a good one.  Maybe
> > you ought to act the way
> >
> > And I am laughing because you are missing the obvious.  I wonder how good
> > the lock is on your door?  Or the door itself?
>
> who the hell cares?

I am saying that first and foremost, physical security is the foundation of 
all security.  If the place where the box lives is not secure, you can add as 
much fancy shmancy crap you want, it will not matter, someone who wants your 
data badly enough will just take your box.   Is that clear enough for you, or 
do I need to word it more simply?  

You know what, kiss my ass.  Go ahead find a place to hire you, get 8 or 9 
years of experience with security and then we'll talk.  

> most of the people who hack into computers are looking to install DoS
> servers, IRC servers, poke around people's files and collect accounts to
> trade with other hackers.  NOT to steal hard drive contents.  but you
> seem to laugh at this.
>
> that's the main danger of not caring about the security of a home system
> on DSL.  we don't give a flying fuck about physical security.  this
> isn't corporate.  we care about people breaking into our systems and
> making them a launch pad for hacking other systems, spam and kiddie
> porn.  but you seem to laugh at this.

Actually, you were talking about doing this professionally.  Look at it this 
way, any of that crap happens, you will find it pretty friggin quickly.  You 
do that, you rebuild your box, and then you're done.  Odds are you'll not be 
hit again.  No one I personally know has been hit by a hacker in that way, 
and no one I know has done anything beyond really simple crap like securing 
services that takes perhaps 15-20 minutes.  Then look at all the time you 
spend at it going beyond that, compare it with the time you spent building 
your system in the first place.  For me, that's pretty solidly more time 
spent actually securing the thing than building it(and doing such small 
things as turning off services and running strobe against the system to make 
sure unnecessary crap is off.)  I think for the vast majority of people out 
there, it would also be skewed that way.  

> you seem to think physical security is the end all and be all and have
> NO concept of what 99% of all hackers want.  you laugh at people who
> worry about their home systems getting hacked into because you expect
> home invasion to vastly outweigh getting hacked into.  you also think
> that someone who breaks into our house is going to steal our computer.
> hah.

Only if they want your data.  The only reason I'd be concerned about my system 
is for the data on it.  Someone hacks it, OK, fine, I load a CD, spend 10-15 
mins setting up the install, go off for a half hr, and come back.  Done.  
Load a second CD, launch a script, go to the movies, come back, Done.  have a 
nice new hot system, minus my data(important stuff is backed up to CD.)  I 
have perhaps 30 minutes on that, perhaps another 30 minutes to make sure its 
all pretty, and I am done.  Can you do a really good job in securing a system 
in an hr?  I doubt it, and if you could, you're missing something.   


>
> you are the MOST clueless system administrator i've ever met.  it's hard
> to believe you even call yourself one.

Again Pete, I suggest you get something called real world experience before 
you say that.  First year or two, you learn about the crap you really have to 
worry about vs the crap that's irrelevant.  

Good day. 

-- 
wenk@praxis.homedns.org
Mike Wenk