Re: hi all..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2007-02-02 at 17:35 -0800, Evan Klitzke wrote:
> On Fri, 2007-02-02 at 14:21 -0800, Michael A. Peters wrote:
> > Some of the other distros that seem easier only seem so because they
> > compromise security to achieve it - such as very insecure sudo defaults
> > that essentially make any admin group user password a root password.
> > 
> > IE someone gets your user account password, they can do more than just
> > mess up your user files, they can become root with sudo and alter
> > binaries so that you don't know they are there, continuously collecting
> > information about you.
> 
> The security of Fedora has nothing to do with not having sudo accounts
> by default. If your password is compromised and you are in the wheel
> group, there are any number of mechanisms that someone could use to try
> to get you to reveal the root password.

None of them are sure thing - with bad sudo defaults they do not have to
exploit something which often results in triggering something, and they
have root instantly giving them the ability to alter binaries and put
other back doors into the system.

While having a local account compromised means that they only have to
find a local exploit to root the box, having a local account compromised
that has sudo privileges means they own the box already.

> 
> Fedora is more secure than a lot of other distributions because it
> enables SELinux by default; it has nothing to do with the use or nonuse
> of sudo accounts (which, incidentally, have a finer grained
> authentication mechanism than the su command).

sudo can be configured to be more fine grained that the su command.
The default that Apple, Ubuntu, and others have are not fine grained at
all - anyone in the right group can execute any command they want root.

Do you think users who don't already know how to lock down sudo are
going to do so? Users who already know how to lock down sudo do not need
insecure defaults, so the default configuration that OS X and ubuntu use
are not for them, those defaults are for the vast majority of people who
will never ever change them.

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux