LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-04-2005, 12:25 PM   #1
skouket
LQ Newbie
 
Registered: Mar 2005
Posts: 20

Rep: Reputation: 0
When i connect on the internet I want root not to access the internet !!


When i am connecting to the internet as user , which i work i want the root to to be able to access the internet to avoid security issues.
Meaning:
A user is logged on and make a connection(dial-up) to the internet.
root logs into the system but he should not access the internet.

I can to this by removing the "rw" permisions of root from the modem device character under /dev/ ??

I am asking this because let's say i want to recompile the kernel.
This takes about 30 minutes.For these 30 minutes i want to suft on the internet but the compilation of the kernel is done using my root account

So will the above work or do you have anything else to propose ??
 
Old 07-04-2005, 01:01 PM   #2
Noth
Member
 
Registered: Jun 2005
Distribution: Debian
Posts: 356

Rep: Reputation: 30
Don't compile as root, there's no reason to.

And you can't stop root form accessing the Internet, you could try with netfilter rules but root can change those.
 
Old 07-04-2005, 01:03 PM   #3
oneandoneis2
Senior Member
 
Registered: Nov 2003
Location: London, England
Distribution: Ubuntu
Posts: 1,460

Rep: Reputation: 46
It won't work, root is above permissions.

I honestly wouldn't worry about it. The mere fact that root is running something won't make it any easier for a cracker to compromise your PC.
 
Old 07-05-2005, 04:24 AM   #4
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Rep: Reputation: 49
Compile as a user and install as root. And when you install, you can pull out the network cable if you want. But as one said earlier: there is no need to. Because root always exists even if you haven't logged in as root. A smart cracker may compromise your computer and make himself root through some sort of root exploit, and this can happen even if you never ever logged in as root. So it just doesn't matter. Just make sure not to use root for your daily surfing, mail reading, IM messaging and so on and you will be at least more secure than those idiots in the windows world, doing everything as Administrator! *evil laugh*

 
Old 07-05-2005, 04:34 AM   #5
overlord73
Member
 
Registered: Apr 2004
Location: ..where no life dwells..
Distribution: RH,FC/SuSE/Debian/HPUX/OSX
Posts: 511

Rep: Reputation: 30
Quote:
Originally posted by Ephracis
...... and you will be at least more secure than those idiots in the windows world, doing everything as Administrator! *evil laugh*
big big grin!
 
Old 07-05-2005, 10:33 AM   #6
skouket
LQ Newbie
 
Registered: Mar 2005
Posts: 20

Original Poster
Rep: Reputation: 0
i do some things as root, like development , package creation(for slack) and kernel compilation as root.
As for surfing etc ... meaning the desktop use , i do it as user..

Come thinking of it now i should probably create an account for development and then i would do almost nothing as root ( except when it is needed )

Thnx for the information and the replies guys
 
Old 07-05-2005, 11:06 AM   #7
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Rep: Reputation: 49
One more thing you can do: if you install stuff without a package manager (I use Slack so I have to do it this way) you can make sure to have a dir like ~/programs/ and than issue "./configure --prefix=/home/you/programs" instead of just ./configure. That will install the package in your home dir, so you will have write access and than you do not even have to be root to install it. Now just add that directory to $PATH and you can run the program just as before. I use it, and I like it. Only root when you just MUST be it, that's a nice way to go.

Regards.
 
Old 07-06-2005, 11:40 AM   #8
skouket
LQ Newbie
 
Registered: Mar 2005
Posts: 20

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by Ephracis
One more thing you can do: if you install stuff without a package manager (I use Slack so I have to do it this way) you can make sure to have a dir like ~/programs/ and than issue "./configure --prefix=/home/you/programs" instead of just ./configure. That will install the package in your home dir, so you will have write access and than you do not even have to be root to install it. Now just add that directory to $PATH and you can run the program just as before. I use it, and I like it. Only root when you just MUST be it, that's a nice way to go.

Regards.
i use slackware too but i install almost all my programs under /usr/local
but what you propose is good.
i don't worry much because i am dial-up and i don't use internet for more than 4hours at home.
i am gonna get broadband soon and what you propose here may be a must
 
Old 07-06-2005, 02:45 PM   #9
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Rep: Reputation: 49
Quote:
Originally posted by skouket
i use slackware too but i install almost all my programs under /usr/local
Yes, that is the "standard" and so did I. But the main reason I changed that is because my home dir is on another partition so when I re-installs Linux I can keep my old programs.

Quote:
i don't worry much because i am dial-up and i don't use internet for more than 4hours at home.
i am gonna get broadband soon and what you propose here may be a must
Yeah, being on a modem is pretty more secure, but they tend to be slow, so I like broadband better. :P
 
Old 07-09-2005, 07:43 AM   #10
DeekBeek
Member
 
Registered: Mar 2005
Distribution: Ubuntu 14.04 LTS 64-bit
Posts: 125

Rep: Reputation: 15
I don't have a clear understanding what sudo does in relation to root. I installed the netzero.deb package under SuSE Linux 9.2, then set it up to run from my user directory using sudo. Am I accessing the internet as root when I use this sudo arrangement, or is it more protected? I tried changing file permissions and ownerships on the netzero installation directory before resorting to sudo; no luck there, though.
 
Old 07-09-2005, 08:32 AM   #11
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Rep: Reputation: 49
Quote:
Originally posted by DeekBeek
I don't have a clear understanding what sudo does in relation to root. I installed the netzero.deb package under SuSE Linux 9.2, then set it up to run from my user directory using sudo. Am I accessing the internet as root when I use this sudo arrangement, or is it more protected? I tried changing file permissions and ownerships on the netzero installation directory before resorting to sudo; no luck there, though.
Sudo lets you run a program as root, that's it. It is considered secure now, AFAIK but I heard that there was some security problems before (do not ask me more about this, I only heard rumors).

I am not sure what you mean with "accessing the internet". Cause all sudo does is give you root privileges and than execute the program for you. If you run an application such as a webbrowser it will use your Internet connection, but if you run vi it will not.

I think you are being a little paranoid here, or at least paranoid in the wrong way, cause if a good cracker got into your system he will be able to get root access if you have a root exploit somewhere in your system. No matter if you run your applications as user or not. You should stop worry about this and check your system for exploits, rootkits, etc instead. That will help you more. :)

Regards.
 
Old 07-10-2005, 03:04 AM   #12
Kahless
Member
 
Registered: Jul 2003
Location: Pennsylvainia
Distribution: Slackware / Debian / *Ubuntu / Opensuse / Solaris uname: Brian Cooney
Posts: 503

Rep: Reputation: 30
acessing the internet on dial up isnt any more secure than over a cable modem, it would just make it take longer to break into your box because your connection is slower. I dont know why you would even think otherwise.



the idea of "sudo" is to let your run specific commands as root, not to give you full root access. you use sudo to activate the software that creates your connection to the internet, and then you use that connection as a regular user.


sudo in itself can be very restrictive if set up properly.... for example....
you can edit your /etc/sudoers file to allow you to ONLY run the root commands to connect to the internet, mount your cdrom, and reboot the machine. That way if sombody did hack that user account, they STILL woudnt have full root access, yet. They would have to install a keylogger and wait for you to type in your root password, or run some kind of local exploit. Of course SUDO can also be wide open, allowing you to do ANYTHING as a sudoer. personally All I allow myself as a sudoer to do is mount and unmount drives (as i dont use dial up)


If you are super parinoid, here are some starting points:

-Make sure all of your software, especially any server programs (httpd, ftp, ect) are in secure, stable releases (not beta quality, but not old and outdated with known exploits)
-Simply disable/remove any software you dont need, especially server programs
-learn how to set up an IPTables firewall
-Only use root for system administration. Its ok to install system wide programs for all users as root, to change system config files, ect. Thats what its there for. The best way to do this stuff is either with sudo, or by using SU in a console.
-su is a great way to do occasional root-power thigns without having a wide open sudo file, and without having to log in or out. It has the extra niceness of giving you one root terminal in an otherwise un-privelaged desktop space (which you may be using to look up docs, for example
-use commmon sence, make sure you trust where you get files from. Only download things from their official mirros, or other trusted sources. If windows users would follow this advice....... and be less trusting of companies like Gator and kazaa......... but I wont go there.
-Make sure Telnet is disabled, end of story
-if you use SSH, edit the /etc/ssh.conf file to do the following:
---Dont allow the old, broken ssh1 protocol to be used
---Dont allow root to log in via ssh, ever. If you need root access via ssh, you log in as a user, and you SU to become root. The big deal here is: now a hacker has to guess your account name AND password, not just guess the root password.
-Use secure passwords, nothing in the dictionary, nothing simple. Some days I see hundreds of attempts to break into my server by password guessing scprits... if my Password were somthing dumb, like "Password," "Football," or "Cat"... I would be too busy formatting hard drives to post this


Some other things you might look into:
-Setting up Logwatch, although this might make you more parinoid: )
-Setting up Tripwire, which might make you feel better about yourself

Hope this wasnt a waste of your time
 
Old 07-10-2005, 01:17 PM   #13
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
Strictly talking about system-maintenance... I have a separate user-id called "sysmaint" (not its real name) which is disabled for logins except when I am maintaining the system. This user-id, and this user alone, has the group memberships and other things that may be required to maintain the system, other than for doing "rootly things," for which purpose I "su root" from there.

My "ordinary, everyday" user-ID is just that... ordinary and everyday. It has no special permissions or powers at all.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there anyway to connect to the internet without root privilages? captainfreedom Linux - Newbie 2 02-28-2005 11:59 AM
why cannot access the internet as root? FarAway Linux - Newbie 2 08-04-2004 03:15 PM
Only root can connect to the internet astronaut3000 Linux - Networking 2 07-25-2004 04:06 PM
Only root can use and connect to the internet VerTiCal Linux - Networking 17 04-30-2004 04:10 PM
Only root can use and connect to the internet VerTiCal Linux - General 2 04-28-2004 07:25 PM


All times are GMT -5. The time now is 10:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration