Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: TTY handling when executing code in lower-privileged context (su, virt containers)
From: Jerry Bell <jerry () riskologist com>
Date: Sun, 11 Nov 2012 12:38:50 -0500

There are a few things to consider from my experience: 

1. It's easy to say "don't use weak passwords", however unless you're using some 2 factor system or systematically 
forcing random passwords, people are generating the passwords, and history tells us that most people are very bad at 
that task. 

2. Most organizations institute lockout policies for normal user accounts, so generally even a weak user password can't 
be guessed within 5 or 10 tries. However, root can't generally be locked out, so they are open to brute force attacks. 
I have first hand experience responding to incidents that resulted from root being successfully brute forced. 

3. The concept of individual accountability is becoming increasingly important for many organizations. This doesn't 
matter much in some, particularly small, environments, but in a setting with dozens or hundreds of administrators, it 
is quite important. SUDO is about the only effective way of enabling large numbers of admins to operate on a system 
while maintaining accountability.  It is not bullet proof, but it is a quite effective solution generally. 

So, I am genuinely curious - how does blocking root logins and requiring SUDO weaken a system?  I definitely have a lot 
to learn, and I feel like I am missing something. 

Regards,

Jerry



On Nov 10, 2012, at 1:30 PM, Michal Zalewski <lcamtuf () coredump cx> wrote:

I think you've taken that far too literaly. My understanding of it is to
protect against a) brute force retardation b) dumb attackers.

The advice weakens the security of your system, because it means I
just need to compromise your unprivileged account (in which you run
your browser, mail client, and so on) to own the entire box.

As for the benefits, care to elaborate? I'm not sure what a) and b)
really mean. If you're worried about brute-force, don't use trivial
passwords. If you worry about opportunistic attacks, do that and then
patch your stuff every now and then.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault