[NTLUG:Discuss] DistroWatch 10 Most Popular Linux Distros

terry trryhend at gmail.com
Fri Apr 3 13:51:18 CDT 2009 

On Fri, Apr 3, 2009 at 12:01 PM, Kenneth Loafman <kenneth at loafman.com> wrote:
>
> terry wrote:
> > 2009/3/29 Ted Gould <ted at gould.cx>
> >
> >> On Wed, 2009-03-25 at 14:23 -0500, Ted Gould wrote:
> >>>> All in all, they're trying to duplicate the "friendliness"
> >>>> of Windows.  And that's just SOOOO wrong.  People who think
> >>>> Linux distros are "hard"... just don't understand the
> >>>> complexity of being on a shared network.... Windows makes
> >>>> 1001 assumptions... and has a myriad of security issues.
> >>>> We don't need to emulate them.
> >>> Could you give some examples of Ubuntu security flaws that are created
> >>> through this "duplication of Windows"?  I'm not aware of any.  In fact,
> >>> I can largely only think of security enhancements.  The hiding of the
> >>> root user.  Apparmor by default.  No external services enabled by
> >>> default.
> >
> > It is a good thing that ssh is not installed by default on a Ubuntu system
> > because "hiding the root user" is not a security enhancement.  Not setting a
> > password for root and therefore not having access to it and giving all admin
> > rights to the user can not be a security enhancement, it could only be
> > called a breach of security.  It may make the system simpler and easier to
> > install and negotiate by the novice user but I see no way we can construe it
> > as a security enhancement.
>
> Contrary to popular misconception, root on Ubuntu *is* configured with a
> strong password, generated but not provided to the user.  Their goal was
> to force the user to use sudo or one of the alternatives, rather than do
> what users quite often do, sign on as root and stay there.

Why then does the user only have to do use sudo to set password for
root in order be able to log in as root from then on?  Or until it is
changed back... $sudo passwd root & and then $sudo passwd -l root to
set it back and disable root login again.

But that little trick is not necessary in the first place because one
only has to do
  sudo su
or
  sudo -i
and he/she obtains a root shell.

Some users, (especially novice users) may use a pretty weak password
for their user account, which DOES in fact afford several avenues for
admin priviledges. If they install openssh-server, how in the world
that can be considered as a security enhancement is going to be pretty
hard to explain, but I'm quite willing to listen if anyone would like
to give it a shot.

That's the reason I say that it is a good thing that openssh-server is
not installed by default.  I think it may have opessh-client installed
but not openssh-server on a default Ubuntu / Kbuntu / Mint install,
but one only has to do sudo apt-get install openssh-server and away
you go - if you do not have a good firewall between yourself and an
untrusted network you darn sure need a good strong password for user.
In comparison, if it were a normal linux distro that has a good strong
root password and (to go a step further) if sshd is limited only to
user and not root  - (which in my opinion ought to be the default
configuration), we must admit, we'll be a lot better off.
I welcome any criticism or challenge to my assumptions, but at this
point, I can't see it any other way.

I must admit tho, that we sometimes need protection from ourselves.
If someone is insane enough to log in as root and  use it as if it
were a user account, well yes, they could initiate a GUI and get on
the internet with the machine and it is just a disaster waiting to
happen - and yes, I know, and X-MS user may very well do just that -
even if they are instructed not to, and so in that way, yes, even I
would have to admit that in that situation, a Ubuntu system is the
only linux distro someone in that mindset should ever get hold of --
Ubuntu is probably the best security someone like that could possibly
have, because it protects one from one's self.  But as far as
protection from the outside, there is no way [at this point] I could
consider it  a valid excuse for disabling root and giving admin
priviledge to the user.

And yes, I did - I stole your argument - I had every intention of
letting you make it for yourself.... but just couldn't stop
myself..... sorry.... I get to typing and the keyboard just carries me
away sometimes....  :)


>
>
> The first user does have 'admin' rights, but not all the rights of root
> by a long shot.  After the first user, additional users get normal
> rights.  This may be a security breach to you, but for the most part,
> the first user is almost always the one that runs the machine and having
> admin rights is needed.  It's a nice balance of power, but may not play
> well with fascist IT departments.
>
> ...Ken
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss



--
<><

More information about the Discuss mailing list