From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from executioner.lis.net.au([203.35.83.3]) (3728 bytes) by braille.uwo.ca via smail with P:esmtp/D:aliases/T:pipe (sender: ) id for ; Wed, 25 Oct 2000 04:03:07 -0400 (EDT) (Smail-3.2.0.102 1998-Aug-2 #2 built 1999-Sep-5) Received: from uucp by executioner.lis.net.au with local-rmail (Exim 2.05 #1) id 13oLWa-0007mJ-00 (Debian); Wed, 25 Oct 2000 19:03:04 +1100 Received: from kerry by gotss.eu.org with local (Exim 3.12 #1) id 13oKbN-0000AX-00 (Debian); Wed, 25 Oct 2000 18:03:57 +1100 Date: Wed, 25 Oct 2000 18:03:57 +1100 From: Kerry Hoath To: speakup@braille.uwo.ca Subject: Re: Root access (was RE: which prebuilt linux boxes seem to work best?) Message-ID: <20001025180357.A642@gotss.eu.org> References: <3.0.6.32.20001022185041.007cfaa0@mail.ufw2.com> <3.0.6.32.20001023205511.007d1db0@mail.ufw2.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0.1i In-Reply-To: <3.0.6.32.20001023205511.007d1db0@mail.ufw2.com>; from bharding@UFW2.COM on Mon, Oct 23, 2000 at 08:55:11PM -0500 List-Id: How about this: use ssh and permit root logins with it. That way if you do have to come in as root remotely you can do it encrypted. You can use options in /etc/ssh/config to allow only validated hosts in i.e. certain ips with keys that are known to the server or certain hosts keys. you can't telnet in as root normall unless you add all pseudo ttys to /etc/securetty. What's wrong with telnetting in as a normal user and runnin su? Regards, Kerry. On Mon, Oct 23, 2000 at 08:55:11PM -0500, Brent Harding wrote: > There's no securetty that'd work remotely, I'm sure because it doesn't > allow you to use an ip address. I'm sure eth0 doesn't count, as it's not > really considered a device file in /dev. I'm not fond of the idea of > multiple root privileged users, especially if it's not really needed. > At 05:08 PM 10/23/00 +1100, you wrote: > >On Sun, 22 Oct 2000, Brent Harding wrote: > > > >> What access does the root group give? Setting up virtual hosts, or whatever > >> involves a lot of access, depending which virtual service one is using, > > > >This would vary from system to system, depending on what files belong to > >the root group and the permissions on those files. > > > >> unless there were a script out that I could be given access to to get all > >> of it done that'd run as root. > > > >You could do this, but it'd be up to the sysadmin to do this. > > > >> Wouldn't it take the luck of the draw, for say the admin gives the access > >> to /dev/pts/0 and someone else is logged in to that, so my connection could > >> be pts/4 or 5 depending who's on? I'd some how have to move them to another > >> device so I could get my privileges. > > > >Yes, which is why you wouldn't ever put a pts device in > >/etc/securetty. And the sysadmin would still have to give out the root > >account's password to you. In fact, if I were a sysadmin, I'd consider > >clearing out /etc/securetty altogether so no one could login directly as > >root, meaning that everyone would either have to know both a user name and > >password and the root password, or have access to sudo as a user. Sounds > >much more secure. > > > >Geoff. > > > > > > > > > >-- > >Geoff Shang > >ICQ number 43634701 > > > > > >_______________________________________________ > >Speakup mailing list > >Speakup@braille.uwo.ca > >http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > > > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup -- -- Kerry Hoath: kerry@gotss.eu.org Alternates: kerry@emusys.com.au kerry@gotss.spice.net.au or khoath@lis.net.au ICQ UIN: 62823451