> > > Puppy Linux is interesting. I used it for awhile and liked that it was > fast, > > and fun. A bit lacking in software, but with the Slacko packages you can > > make it better. My main concern about it was that it logs you in as root > > (without even a password). A lot of people have expressed concern about > this > > apparent security hole, but Puppyistas are insistent that it's no > problem. I > > remain somewhat sceptical. > > I usually don't even think about that, but, when I do think about it, > it worries me too. Thanks for bringing it up, I had forgotten all > about that. > > My rather pitiful approach to security (other than burying my head in > the sand) is mostly to just blindly hope that the people who think > Puppy is secure enough are right. > > While running things as root and mostly not having to worry about user > privileges, etc. certainly makes things simpler, I've always suspected > it might be a dangerous and harmful oversimplification. >
I believe a lot depends on how you use the computer in question. When you are a desktop-mostly user, it is a very good idea to not run as root. This is mostly due to the fact that certain less secure application you use to interact on the Internet can do nasty stuff to your machine (I'm looking at you, IRC). Running as root allows them to do so with root privileges. There are no significant *security* implications when running as root if you mostly use linux as a server OS. Simply banging "sudo" in from of most of your commands doesn't help you at all when it comes to security. There is a small benefit in not having the root account having a password, in the sense that everybody knows that there must be a root account on your machine, so that becomes an immediate target for every cracker with a rainbow table and some sort of shell access. Besides that, the reason that a distro like Ubuntu pushes you to use sudo as opposed to root is mostly so that you don't accidentally break things. However, it is my view that adding sudo in front of everything doesn't actually stop you from being an idiot. rm -rf /* is going to do as much damage as sudo rm-rf/*. sudo does help a bit when you have a multi-user system, with multiple admin accounts, where you can claim to have some deeper, finer-grained access control, but it is my view that this is also more of a kludge. If you want to do it right, implement SELinux, or AppArmour or something. However, properly implementing RBAC for such a scenario is a massive undertaking in the larger scheme of things and few people bother. sudo is a mostly ineffective kludge at best, and for most users it provides a very false sense of security. IT security is very hard, it is a constant battle of real compromises, and there are *no* silver bullets or magic programs that will make a system secure. The best line of defense for day to day ops is not sudo, it is knowing and understanding your system, its components, how they interact, what they require, and how they expose you. Security starts and ends with the user.
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
