On 20201108 11:33:30, Dave Stevens wrote:
On Sun, 8 Nov 2020 14:19:53 -0500
Jamie Fargen <ja...@fargenable.com> wrote:
If you have physical access it is trivial to gain root to the host, by
booting into single user mode and changing the root password.
you mean it won't work over ssh?
There seems to be some linguistic misunderstandings here. What is a "root user"?
I see that as somebody logged in as root. Anybody else has an account with sudo
enabled, a sudoer. Anybody else is a user as is a sudoer when not prefixing
commands with "sudo ". I interpreted "root user" to be somebody logged in using
the root password not somebody who can run (some) root level commands using sudo
instead of "su -l".
You have two classes of login, remote and local. Remote can be subdivided if you
wish. It simply means the remote user cannot reach over a push a button to
physically reboot the machine. (And at least one version of RedHat Linux I used
even the local reboot to single user mode required a password. That restriction
didn't last long as I recall.)
As a courtesy ANYBODY, root, sudoer, or user logged into a local (I can reach
over a push a damn button if I have to) machine should be able to reboot,
perhaps after some politeness mumbo-jumbo. ( "Fred, sue, marcy, meghan, george,
johnj, and johna are logged in. Reboot anyway after warning them? y/n".) That
allows the user about to pull the power switch a chance to be inhumanly polite.
But, in the end, the reboot should happen. Perhaps if root is also logged in the
mumbo-jumbo should be a little more serious.
Any user logged in remotely should not be able to reboot the machine, period,
end of statement.
Any sudoer logged in remotely, when root is not logged, in should be able to
reboot the machine after politeness mumbo-jumbo and rituals. If root is logged
in I don't know what should happen. How much do you trust your root password or
other account access. If you trust it implicitly, reboot should be prohibited
even to sudoers. If you figure that the root account may get compromised and
that "root" you see is not legitimate, then sudoers, people trusted more than
most, should be able to reboot the machine hoping to catch it as it boots and
close its doors. "Good luck".
If you log in as root or su -l in as root then shutting down the machine with
"shutdown" should work with the standard politeness mumbo-jumbo and "shutdown
now" should bring it down instantly.
Aside: Above this you might add a "shutdown (secret word here)" command that
allows only a remote or local root login with the machine in a "dumb" state. The
remote would be accepted only from one specific IP address range. Once logged in
a specific sequence of commands would enable normal root access for that login.
Then you can trouble shoot the machine and try to root out nasties before they
manage to take the machine back away from you.
Now that there is a definition for local and remote logins and three account
types what do YOU guys think should be the actions when "shutdown" is typed by
some warm body at some keyboard somewhere that is somehow linked to any given
machine?
Get specific and blow the generalities.
{^_^}
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
