LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   When i connect on the internet I want root not to access the internet !! (http://www.linuxquestions.org/questions/linux-security-4/when-i-connect-on-the-internet-i-want-root-not-to-access-the-internet-339907/)

skouket 07-04-2005 12:25 PM

When i connect on the internet I want root not to access the internet !!
 
When i am connecting to the internet as user , which i work i want the root to to be able to access the internet to avoid security issues.
Meaning:
A user is logged on and make a connection(dial-up) to the internet.
root logs into the system but he should not access the internet.

I can to this by removing the "rw" permisions of root from the modem device character under /dev/ ??

I am asking this because let's say i want to recompile the kernel.
This takes about 30 minutes.For these 30 minutes i want to suft on the internet but the compilation of the kernel is done using my root account :)

So will the above work or do you have anything else to propose ?? :)

Noth 07-04-2005 01:01 PM

Don't compile as root, there's no reason to.

And you can't stop root form accessing the Internet, you could try with netfilter rules but root can change those.

oneandoneis2 07-04-2005 01:03 PM

It won't work, root is above permissions.

I honestly wouldn't worry about it. The mere fact that root is running something won't make it any easier for a cracker to compromise your PC.

Ephracis 07-05-2005 04:24 AM

Compile as a user and install as root. And when you install, you can pull out the network cable if you want. But as one said earlier: there is no need to. Because root always exists even if you haven't logged in as root. A smart cracker may compromise your computer and make himself root through some sort of root exploit, and this can happen even if you never ever logged in as root. So it just doesn't matter. Just make sure not to use root for your daily surfing, mail reading, IM messaging and so on and you will be at least more secure than those idiots in the windows world, doing everything as Administrator! *evil laugh*

:)

overlord73 07-05-2005 04:34 AM

Quote:

Originally posted by Ephracis
...... and you will be at least more secure than those idiots in the windows world, doing everything as Administrator! *evil laugh*
big big grin!

skouket 07-05-2005 10:33 AM

i do some things as root, like development , package creation(for slack) and kernel compilation as root.
As for surfing etc ... meaning the desktop use , i do it as user..

Come thinking of it now i should probably create an account for development and then i would do almost nothing as root ( except when it is needed ) :)

Thnx for the information and the replies guys ;)

Ephracis 07-05-2005 11:06 AM

One more thing you can do: if you install stuff without a package manager (I use Slack so I have to do it this way) you can make sure to have a dir like ~/programs/ and than issue "./configure --prefix=/home/you/programs" instead of just ./configure. That will install the package in your home dir, so you will have write access and than you do not even have to be root to install it. Now just add that directory to $PATH and you can run the program just as before. I use it, and I like it. Only root when you just MUST be it, that's a nice way to go. :)

Regards.

skouket 07-06-2005 11:40 AM

Quote:

Originally posted by Ephracis
One more thing you can do: if you install stuff without a package manager (I use Slack so I have to do it this way) you can make sure to have a dir like ~/programs/ and than issue "./configure --prefix=/home/you/programs" instead of just ./configure. That will install the package in your home dir, so you will have write access and than you do not even have to be root to install it. Now just add that directory to $PATH and you can run the program just as before. I use it, and I like it. Only root when you just MUST be it, that's a nice way to go. :)

Regards.

i use slackware too but i install almost all my programs under /usr/local
but what you propose is good.
i don't worry much because i am dial-up and i don't use internet for more than 4hours at home.
i am gonna get broadband soon and what you propose here may be a must :)

Ephracis 07-06-2005 02:45 PM

Quote:

Originally posted by skouket
i use slackware too but i install almost all my programs under /usr/local
Yes, that is the "standard" and so did I. But the main reason I changed that is because my home dir is on another partition so when I re-installs Linux I can keep my old programs.

Quote:

i don't worry much because i am dial-up and i don't use internet for more than 4hours at home.
i am gonna get broadband soon and what you propose here may be a must :)
Yeah, being on a modem is pretty more secure, but they tend to be slow, so I like broadband better. :P

DeekBeek 07-09-2005 07:43 AM

I don't have a clear understanding what sudo does in relation to root. I installed the netzero.deb package under SuSE Linux 9.2, then set it up to run from my user directory using sudo. Am I accessing the internet as root when I use this sudo arrangement, or is it more protected? I tried changing file permissions and ownerships on the netzero installation directory before resorting to sudo; no luck there, though.

Ephracis 07-09-2005 08:32 AM

Quote:

Originally posted by DeekBeek
I don't have a clear understanding what sudo does in relation to root. I installed the netzero.deb package under SuSE Linux 9.2, then set it up to run from my user directory using sudo. Am I accessing the internet as root when I use this sudo arrangement, or is it more protected? I tried changing file permissions and ownerships on the netzero installation directory before resorting to sudo; no luck there, though.
Sudo lets you run a program as root, that's it. It is considered secure now, AFAIK but I heard that there was some security problems before (do not ask me more about this, I only heard rumors).

I am not sure what you mean with "accessing the internet". Cause all sudo does is give you root privileges and than execute the program for you. If you run an application such as a webbrowser it will use your Internet connection, but if you run vi it will not.

I think you are being a little paranoid here, or at least paranoid in the wrong way, cause if a good cracker got into your system he will be able to get root access if you have a root exploit somewhere in your system. No matter if you run your applications as user or not. You should stop worry about this and check your system for exploits, rootkits, etc instead. That will help you more. :)

Regards.

Kahless 07-10-2005 03:04 AM

acessing the internet on dial up isnt any more secure than over a cable modem, it would just make it take longer to break into your box because your connection is slower. I dont know why you would even think otherwise.



the idea of "sudo" is to let your run specific commands as root, not to give you full root access. you use sudo to activate the software that creates your connection to the internet, and then you use that connection as a regular user.


sudo in itself can be very restrictive if set up properly.... for example....
you can edit your /etc/sudoers file to allow you to ONLY run the root commands to connect to the internet, mount your cdrom, and reboot the machine. That way if sombody did hack that user account, they STILL woudnt have full root access, yet. They would have to install a keylogger and wait for you to type in your root password, or run some kind of local exploit. Of course SUDO can also be wide open, allowing you to do ANYTHING as a sudoer. personally All I allow myself as a sudoer to do is mount and unmount drives (as i dont use dial up)


If you are super parinoid, here are some starting points:

-Make sure all of your software, especially any server programs (httpd, ftp, ect) are in secure, stable releases (not beta quality, but not old and outdated with known exploits)
-Simply disable/remove any software you dont need, especially server programs
-learn how to set up an IPTables firewall
-Only use root for system administration. Its ok to install system wide programs for all users as root, to change system config files, ect. Thats what its there for. The best way to do this stuff is either with sudo, or by using SU in a console.
-su is a great way to do occasional root-power thigns without having a wide open sudo file, and without having to log in or out. It has the extra niceness of giving you one root terminal in an otherwise un-privelaged desktop space (which you may be using to look up docs, for example :)
-use commmon sence, make sure you trust where you get files from. Only download things from their official mirros, or other trusted sources. If windows users would follow this advice....... and be less trusting of companies like Gator and kazaa......... but I wont go there.
-Make sure Telnet is disabled, end of story
-if you use SSH, edit the /etc/ssh.conf file to do the following:
---Dont allow the old, broken ssh1 protocol to be used
---Dont allow root to log in via ssh, ever. If you need root access via ssh, you log in as a user, and you SU to become root. The big deal here is: now a hacker has to guess your account name AND password, not just guess the root password.
-Use secure passwords, nothing in the dictionary, nothing simple. Some days I see hundreds of attempts to break into my server by password guessing scprits... if my Password were somthing dumb, like "Password," "Football," or "Cat"... I would be too busy formatting hard drives to post this :)


Some other things you might look into:
-Setting up Logwatch, although this might make you more parinoid: )
-Setting up Tripwire, which might make you feel better about yourself :)

Hope this wasnt a waste of your time :)

sundialsvcs 07-10-2005 01:17 PM

Strictly talking about system-maintenance... I have a separate user-id called "sysmaint" (not its real name) which is disabled for logins except when I am maintaining the system. This user-id, and this user alone, has the group memberships and other things that may be required to maintain the system, other than for doing "rootly things," for which purpose I "su root" from there.

My "ordinary, everyday" user-ID is just that... ordinary and everyday. It has no special permissions or powers at all.


All times are GMT -5. The time now is 07:13 AM.