-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vineet Kumar <[EMAIL PROTECTED]> writes:
> * Robert Epprecht ([EMAIL PROTECTED]) [011208 02:31]: > > I need ssh to access some cvs servers. As the files are stored locally > > below /usr/local/ and ordinary users have no write access there I called > > ssh-keygen as root. But now I have my doubts if this was The Right > > Thing to do regarding security. I *do* trust the cvs servers in > > question and am not paranoid about security, but I do want a reasonable > > security level. Comments welcome. > > Rather than root, add your user account to group staff. This gives > you access to /usr/local. That would indeed be a lot better than ssh'ing in as root. I believe the default setup doesn't even let you (or was that a configuration question?). > It should be noted, though, that this account > becomes stronger than you can possibly imagine. (Well, not really, but > it's easy for it to get root). One prime example of this is that > /usr/local/sbin and /usr/local/bin come first in root's path. On my machine these come last by default(!) when I su [EMAIL PROTECTED]:~$ su Password: frodo:/home/user# echo $PATH /sbin:/bin:/usr/sbin:/usr/bin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin frodo:/home/user# and they are not even there when logging in as root frodo login: root Password: [...] Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. frodo:~# echo $PATH /usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 frodo:~# Besides, when r00t you use full pathnames, not? - -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.6 <http://mailcrypt.sourceforge.net/> iD8DBQE8FUqCFsfyfWvjfZARAldtAJ47K/2STWf/fWny6AwLN2gC+k+VYwCcCQAH Bt1IvMKp58m/g2VDpQQFxoE= =CVXg -----END PGP SIGNATURE-----
