> You still should use sudo, with a password - the user's own password. > Using root password many times, every day, is bad for security (the more > times you type it the higher the chances are it will be captured) and it > instills the desire of an easy to remember and fast to type password.
What people often overlook is that having a real root password is that is possible to press control-alt-F2 and log in as root on a text console. To intercept the password in that case typically requires root anyway, or some sort of physical access - in either case the game is already over. This is different to using sudo or su, where a random javascript exploit can control firefox which then straces your xterm or updates your .bashrc to grab your password the next time you type su or sudo. And the common use-case for typing in a root password is to mount a removable disk when one is physically at the computer, where control-alt-F2 is accessible. Sudo has its uses, but the practice of using sudo and no root password is a convenience (fewer passwords to remember) which typically weakens security. regards marc _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
