root login - fixing fedora 11

root login - fixing fedora 11 | 1 comments | Create New Account

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Authored by: r00t on Sunday, December 06 2009 @ 04:30 AM EST

I thought I had better add a quick comment in an attempt to hold back the flood of 'Never login as root' flames that will follow.

First of all, I do not always log in as root. I log in as root when i need to update or reconfigure a system. I have configured my root desktop to launch my browser under my standard users account and my irc client runs in a chroot jail. Those are simple precautions for the high risk applications and the files that they may download.

As for the idea that your system is safer logging in as a normal user and then typing your root password later when you need to run an administrative app, I would like to remind you that hackers are childish but not stupid! From the mindset of a hacker i would be drooling at the thought of an overconfident semi-admin constantly typing the root password in a cluttered GUI environment.

Consider the following psudocode example:

trojan-worm // basic download with only normal user privlidages

{

deliver password stealing app;

replace the menu shortcut for and administrative app with shortcut to password stealing app;

}

password stealing app // simple script to simulate admin password prompt (GUI for prompt copied from open source code so appearance is identical) still only user permissions

{

prompt for password;

silently confirm password;

if password is valid {

remove shortcut to password stealing app and put back original administrative app shortcut;

post root password to #alt.leet.haxorz with a flaming challenge to test your security;

}

return false notice that the password was entered incorrectly;

quietly exit and delete password stealing app;

}

Edited on Monday, December 07 2009 @ 12:03 AM EST by r00t

Topics

User Functions

Events