On Tuesday, 13 January 2015 12:05 AM, Stephen John Smoogen wrote: >I don't see how this is the case. All we have done is move the >first line of the root-kit script to calling sudo via the password >that was used to open the account up. Since many of Linux systems >are single user boxes.. it is most likely going to work. If it fails >then the majority of them just dump the warning email in >/var/spool/mail/root which never gets read (from the number of boxes > I have had to clean up). Sorry, I didn't get it. Running root-kit script implies you already have access to a machine. And the user has sudo(1) access enabled. >>And from looking at the sophistication of various worms these days.. >they are a lot smarter about guessing who owns the box and then trying >various smart choices (since Fedora will select ssmoogen as my name it >has shown up more often in brute forces by systems which I own). That's possible. But the proposed feature is not meant to address this issue. >I was going to say it is an informed speculation.. I have actually had to >interview various people about weak passwords and why they chose them and >the largest excuse is "Well I don't need to have a strong password for >this.. its not like its root." Yes, that is quite common. Which is precisely why we need to set hardened default configurations. --- Regards -Prasad http://feedmug.com -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
