[vox-tech] User with root privileges
Peter Jay Salzman
vox-tech@lists.lugod.org
Mon, 24 Nov 2003 19:37:22 -0800
On Mon 24 Nov 03, 7:06 PM, Michael Wenk <wenk@praxis.homedns.org> said:
> On Monday 24 November 2003 04:58 am, Peter Jay Salzman wrote:
> > On Mon 24 Nov 03, 2:39 AM, Michael Wenk <wenk@praxis.homedns.org> said:
> > > On Sunday 23 November 2003 03:21 am, Peter Jay Salzman wrote: > > On Sun
> 23 Nov 03, 12:53 AM, Michael Wenk <wenk@praxis.homedns.org> said:
> > > > > On Saturday 22 November 2003 06:51 pm, Peter Jay Salzman wrote:
> > > > > > > > but never mind that. let's talk about something else.
> > > > > > > >
> > > > > > > > so we have a guy who presumably owns a solaris box. he wants
> > > > > > > > to install something. i forget what it was. oracle? anyway.
> > > > > > > > he wants to do it from an account named "joeschmo", rather than
> > > > > > > > "root".
> > > > > > > >
> > > > > > > > do you really not see anything wrong with that?
> > > > > > > >
> > > > > > > > the only person who should be doing that is a hacker.
> > > > > > >
> > > > > > > Or an oracle DBA/sysadmin... oracle is not installed as root,
> > > > > > > although there are 2-3 parts that require you to run a script as
> > > > > > > root to do somethings.
> > > > > >
> > > > > > and you would change a user's UID or GID to do this?
> > > > >
> > > > > You are not making sense. You said above that you had a guy that
> > > > > wanted to install oracle from an account other than root(which is the
> > > > > way oracle is supposed to be installed.) So you're dinging me for
> > > > > that? Have you ever done oracle installs? Am I missing something
> > > > > here?
> > > >
> > > > yes, mike. you're missing something here: the whole point.
> > > >
> > > > the whole point of this conversation is that the guy changed the
> > > > UID/GID of a user level account to "0" just so he didn't have to change
> > > > to root when he types "make install".
> > > >
> > > > get it yet? i'll try to spell it out some more.
> > > >
> > > > he wants to edit /etc/passwd and change the 3rd and 4th fields to "0"
> > > > to bypass running the install scripts as root. which is STUPID.
> > > >
> > > > so then i say:
> > > >
> > > > the only person who edit's /etc/passwd and changes the 3rd and 4th
> > > > field of a user account to zero is a hacker (or a clueless newbie).
> > > >
> > > > then you say:
> > > >
> > > > or a oracle DBA/sysadmin
> > > >
> > > >
> > > >
> > > > in case you're being really dense, let me hold your hand some more.
> > > >
> > > > 1. i said only hackers and newbies edit /etc/passwd to give user
> > > > accounts superuser privileges so they don't have to be root to
> > > > install software.
> > >
> > > Well for the longest time I had my passwd entry UIDing my user acct to
> > > UID 0. The only reason I changed the way I did it was because I mated my
> > > home system to a work network, and that forced me to do so.
> > >
> > > > 2. then you said "oracle DBA/sysadmins do too".
> > >
> > > Actually, the way you put it was quite unclear:
> > >
> > > "and you would change a user's UID or GID to do this?"
> >
> > ok, so now you understand.
> >
> > the way i put it was clear enough if you had read the previous message.
> > you jumped into a thread without reading the previous posts: everyone
> > else (except you) understood because they did read the previous posts.
>
> Actually I read every post before I responded to yours. Yours made utterly no
> sense in the context i was in at the time.
>
> >
> > > > you have to laugh because i value my system?!?
> > > >
> > > > that is one of most callous and non-professional things i've ever heard
> > > > anybody claiming to be "system administrator" say.
> > >
> > > Funny that you are calling me unprofessional. That is a good one. Maybe
> > > you ought to act the way
> > >
> > > And I am laughing because you are missing the obvious. I wonder how good
> > > the lock is on your door? Or the door itself?
> >
> > who the hell cares?
>
> I am saying that first and foremost, physical security is the foundation of
> all security. If the place where the box lives is not secure, you can add as
> much fancy shmancy crap you want, it will not matter, someone who wants your
> data badly enough will just take your box. Is that clear enough for you, or
> do I need to word it more simply?
>
> You know what, kiss my ass. Go ahead find a place to hire you, get 8 or 9
> years of experience with security and then we'll talk.
>
> > most of the people who hack into computers are looking to install DoS
> > servers, IRC servers, poke around people's files and collect accounts to
> > trade with other hackers. NOT to steal hard drive contents. but you
> > seem to laugh at this.
> >
> > that's the main danger of not caring about the security of a home system
> > on DSL. we don't give a flying fuck about physical security. this
> > isn't corporate. we care about people breaking into our systems and
> > making them a launch pad for hacking other systems, spam and kiddie
> > porn. but you seem to laugh at this.
>
> Actually, you were talking about doing this professionally. Look at it this
> way, any of that crap happens, you will find it pretty friggin quickly. You
> do that, you rebuild your box, and then you're done. Odds are you'll not be
> hit again. No one I personally know has been hit by a hacker in that way,
> and no one I know has done anything beyond really simple crap like securing
> services that takes perhaps 15-20 minutes. Then look at all the time you
> spend at it going beyond that, compare it with the time you spent building
> your system in the first place. For me, that's pretty solidly more time
> spent actually securing the thing than building it(and doing such small
> things as turning off services and running strobe against the system to make
> sure unnecessary crap is off.) I think for the vast majority of people out
> there, it would also be skewed that way.
>
> > you seem to think physical security is the end all and be all and have
> > NO concept of what 99% of all hackers want. you laugh at people who
> > worry about their home systems getting hacked into because you expect
> > home invasion to vastly outweigh getting hacked into. you also think
> > that someone who breaks into our house is going to steal our computer.
> > hah.
>
> Only if they want your data. The only reason I'd be concerned about my system
> is for the data on it. Someone hacks it, OK, fine, I load a CD, spend 10-15
> mins setting up the install, go off for a half hr, and come back. Done.
> Load a second CD, launch a script, go to the movies, come back, Done. have a
> nice new hot system, minus my data(important stuff is backed up to CD.) I
> have perhaps 30 minutes on that, perhaps another 30 minutes to make sure its
> all pretty, and I am done. Can you do a really good job in securing a system
> in an hr? I doubt it, and if you could, you're missing something.
>
>
> >
> > you are the MOST clueless system administrator i've ever met. it's hard
> > to believe you even call yourself one.
>
> Again Pete, I suggest you get something called real world experience before
> you say that. First year or two, you learn about the crap you really have to
> worry about vs the crap that's irrelevant.
mike,
mark understood.
ryan understood.
rhonda understood.
you're the odd man out. your responses have largely been non-sequitar.
i suspect that's because you're simply not reading our emails. if you
refuse to read what other people write, it's a waste of everyone's time.
i'm done with you until you learn how to read an email and respond to it
in a relevent manner.
peter
ps- for the record, i've been both a black hat and a professional white
hat for many years and have been involved in security, one way or
another, probably for longer than you have.
--
Make everything as simple as possible, but no simpler. -- Albert Einstein
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D