l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2003 Nov 25 00:44

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] User with root privileges
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] User with root privileges



On Mon 24 Nov 03,  7:06 PM, Michael Wenk <wenk@praxis.homedns.org> said:
> On Monday 24 November 2003 04:58 am, Peter Jay Salzman wrote:
> > On Mon 24 Nov 03,  2:39 AM, Michael Wenk <wenk@praxis.homedns.org> said:
> > > On Sunday 23 November 2003 03:21 am, Peter Jay Salzman wrote: > > On Sun 
> 23 Nov 03, 12:53 AM, Michael Wenk <wenk@praxis.homedns.org> said:
> > > > > On Saturday 22 November 2003 06:51 pm, Peter Jay Salzman wrote:
> > > > > > > > but never mind that.  let's talk about something else.
> > > > > > > >
> > > > > > > > so we have a guy who presumably owns a solaris box.  he wants
> > > > > > > > to install something.  i forget what it was.  oracle?  anyway. 
> > > > > > > > he wants to do it from an account named "joeschmo", rather than
> > > > > > > > "root".
> > > > > > > >
> > > > > > > > do you really not see anything wrong with that?
> > > > > > > >
> > > > > > > > the only person who should be doing that is a hacker.
> > > > > > >
> > > > > > > Or an oracle DBA/sysadmin... oracle is not installed as root,
> > > > > > > although there are 2-3 parts that require you to run a script as
> > > > > > > root to do somethings.
> > > > > >
> > > > > > and you would change a user's UID or GID to do this?
> > > > >
> > > > > You are not making sense.  You said above that you had a guy that
> > > > > wanted to install oracle from an account other than root(which is the
> > > > > way oracle is supposed to be installed.)   So you're dinging me for
> > > > > that?  Have you ever done oracle installs?  Am I missing something
> > > > > here?
> > > >
> > > > yes, mike.  you're missing something here: the whole point.
> > > >
> > > > the whole point of this conversation is that the guy changed the
> > > > UID/GID of a user level account to "0" just so he didn't have to change
> > > > to root when he types "make install".
> > > >
> > > > get it yet?  i'll try to spell it out some more.
> > > >
> > > > he wants to edit /etc/passwd and change the 3rd and 4th fields to "0"
> > > > to bypass running the install scripts as root.  which is STUPID.
> > > >
> > > > so then i say:
> > > >
> > > >    the only person who edit's /etc/passwd and changes the 3rd and 4th
> > > >    field of a user account to zero is a hacker (or a clueless newbie).
> > > >
> > > > then you say:
> > > >
> > > >    or a oracle DBA/sysadmin
> > > >
> > > >
> > > >
> > > > in case you're being really dense, let me hold your hand some more.
> > > >
> > > > 1. i said only hackers and newbies edit /etc/passwd to give user
> > > >    accounts superuser privileges so they don't have to be root to
> > > > install software.
> > >
> > > Well for the longest time I had my passwd entry UIDing my user acct to
> > > UID 0. The only reason I changed the way I did it was because I mated my
> > > home system to a work network, and that forced me to do so.
> > >
> > > > 2. then you said "oracle DBA/sysadmins do too".
> > >
> > > Actually, the way you put it was quite unclear:
> > >
> > > "and you would change a user's UID or GID to do this?"
> >
> > ok, so now you understand.
> >
> > the way i put it was clear enough if you had read the previous message.
> > you jumped into a thread without reading the previous posts: everyone
> > else (except you) understood because they did read the previous posts.
> 
> Actually I read every post before I responded to yours.  Yours made utterly no 
> sense in the context i was in at the time. 
> 
> >
> > > > you have to laugh because i value my system?!?
> > > >
> > > > that is one of most callous and non-professional things i've ever heard
> > > > anybody claiming to be "system administrator" say.
> > >
> > > Funny that you are calling me unprofessional.  That is a good one.  Maybe
> > > you ought to act the way
> > >
> > > And I am laughing because you are missing the obvious.  I wonder how good
> > > the lock is on your door?  Or the door itself?
> >
> > who the hell cares?
> 
> I am saying that first and foremost, physical security is the foundation of 
> all security.  If the place where the box lives is not secure, you can add as 
> much fancy shmancy crap you want, it will not matter, someone who wants your 
> data badly enough will just take your box.   Is that clear enough for you, or 
> do I need to word it more simply?  
> 
> You know what, kiss my ass.  Go ahead find a place to hire you, get 8 or 9 
> years of experience with security and then we'll talk.  
> 
> > most of the people who hack into computers are looking to install DoS
> > servers, IRC servers, poke around people's files and collect accounts to
> > trade with other hackers.  NOT to steal hard drive contents.  but you
> > seem to laugh at this.
> >
> > that's the main danger of not caring about the security of a home system
> > on DSL.  we don't give a flying fuck about physical security.  this
> > isn't corporate.  we care about people breaking into our systems and
> > making them a launch pad for hacking other systems, spam and kiddie
> > porn.  but you seem to laugh at this.
> 
> Actually, you were talking about doing this professionally.  Look at it this 
> way, any of that crap happens, you will find it pretty friggin quickly.  You 
> do that, you rebuild your box, and then you're done.  Odds are you'll not be 
> hit again.  No one I personally know has been hit by a hacker in that way, 
> and no one I know has done anything beyond really simple crap like securing 
> services that takes perhaps 15-20 minutes.  Then look at all the time you 
> spend at it going beyond that, compare it with the time you spent building 
> your system in the first place.  For me, that's pretty solidly more time 
> spent actually securing the thing than building it(and doing such small 
> things as turning off services and running strobe against the system to make 
> sure unnecessary crap is off.)  I think for the vast majority of people out 
> there, it would also be skewed that way.  
> 
> > you seem to think physical security is the end all and be all and have
> > NO concept of what 99% of all hackers want.  you laugh at people who
> > worry about their home systems getting hacked into because you expect
> > home invasion to vastly outweigh getting hacked into.  you also think
> > that someone who breaks into our house is going to steal our computer.
> > hah.
> 
> Only if they want your data.  The only reason I'd be concerned about my system 
> is for the data on it.  Someone hacks it, OK, fine, I load a CD, spend 10-15 
> mins setting up the install, go off for a half hr, and come back.  Done.  
> Load a second CD, launch a script, go to the movies, come back, Done.  have a 
> nice new hot system, minus my data(important stuff is backed up to CD.)  I 
> have perhaps 30 minutes on that, perhaps another 30 minutes to make sure its 
> all pretty, and I am done.  Can you do a really good job in securing a system 
> in an hr?  I doubt it, and if you could, you're missing something.   
> 
> 
> >
> > you are the MOST clueless system administrator i've ever met.  it's hard
> > to believe you even call yourself one.
> 
> Again Pete, I suggest you get something called real world experience before 
> you say that.  First year or two, you learn about the crap you really have to 
> worry about vs the crap that's irrelevant.  

mike,

mark understood.
ryan understood.
rhonda understood.

you're the odd man out.  your responses have largely been non-sequitar.
i suspect that's because you're simply not reading our emails.  if you
refuse to read what other people write, it's a waste of everyone's time.

i'm done with you until you learn how to read an email and respond to it
in a relevent manner.

peter

ps- for the record, i've been both a black hat and a professional white
hat for many years and have been involved in security, one way or
another, probably for longer than you have.

-- 
Make everything as simple as possible, but no simpler.  -- Albert Einstein
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!