Quote:
|
Quote:
If you wanna make a safe distributions, how about one that warns a user every time they use an unencrypted protocol (IE FTP, VNC) across the internet that other people maybe able to view their username and password. Also ubuntu doesn't encourage things like locking down /tmp in ways that reduce the number of rootkit vunabilities you have... I am curious with Ubuntu, what happens if you need to run a manual FSCK and it requires the maintainance password... is that the initial user password? or does this lead to a whole different level of headaches. Or worse yet, does it let just anybody into the maintainance terminal =P? But as it goes, user apathy to server security/protection is my number 1 reason why servers get hacked (any OS). While direct logins as root and browsing the internet as root are on the list of insanely crazy things to do, most OSs disable or warn about GUI root logins and SSHD is easily configurable to disable direct root logins... but leave the benefit of "SU" and/or console root logins can be in my opinion beneficial and just easier... |
Quote:
Quote:
Quote:
|
This thread is perhaps past its prime, but my buttons have been pushed....;)
I had a chat with a Ubuntu rep at the last SCALE. He was arguing that their no-root-user weirdness was actually a plus for security. I don't remember what the rationale was, but I was not impressed. Since then, I have read about people being disciplined on the Ubuntu fora for divulging the "secret" to enabling the root account. Bad dog, Ubuntu---BAD Dog!! As for "sudo bash" creating a security hole, consider some other security holes:
If you want real security, you have to control who has physical and network access to the hardware. |
Quote:
However in no way should the uninformed actions of an OP who clearly does all the right stuff for all the wrong reasons be left unchallenged. |
I can see your logic, but let's try a loose analogy:
Suppose I check in to the ArchLinux forum and post something on how to disable pacman and set up Arch with Synaptic.....Or maybe how to get rid of rc.conf and replace it with something more "normal". Will I get disciplined or ejected from the forum? I think not. Carrying it further: Suppose I posted instructions on how to set up Arch to be like Ubuntu? They are still not going to punish me. LAUGH AT ME--perhaps. I'm obviously in the camp that NO-ONE should be practicing thought control. AND--look at Mint: They don't bother just **telling** you how to have a root account---they put it in the installer as an option. |
Another slightly more obscure analogy:
Circa 1970, I pull the 2-speed Powerglide out of my Chevy Impala, and replace it with a 3-speed hydramatic. Off to the dealer to get the right speedometer gears. Tell dealer person what I have done. Answer: "You can't do that." Showing him the actual car in which I had successfully driven to his establishment did not seem to make an impression..... Moral: The world is full of people who are quite willing to decide how you **should** do something, but there is only ONE person who **should** be making the decision. I want Ubuntu to advise me, not to dictate. |
To be honest what put me off of Ubuntu was it's inability to actually work on any system I put it on, it's probably more compatible by now but when I place it on my state of the art white boxes I just use to get so many graphical glitches and compatibility issues it wasn't worth it. Now I just use CentOS since I am use to dealing with it so much as it's the mode OS used in the data center that I work in. Also I rarely get graphical problems with CentOS...
But as for Ubuntu's Security, naturally as I never got on with it, it wasn't til I came across servers that used it that I found out just how annoying the whole distribution actually is when you ignore the putrid orange interfaces... The whole not allowing logins as root is something I just by-pass in 10 seconds if I do have to use it for some reason, I am after all in my line of work, use to having to by-pass people securing themselves so well they secure themselves out of their own servers. |
this is whyy i dislike Ubuntu
Quote:
|
The main advantage of sudo allow certain users and administrators to run root commands without needing to distribute the root password. You can temporarily give someone permission to run sudo and then remove this privilege later.
Also look at using PolicyKit for the types of things that regular users may commonly need to do. For example, there may be a setting to allow a user install updates. This would allow a user click OK in the updater applet without then needing to enter the root password. Or perhaps allow the user to change the pulse audio setting to high priority. It can be difficult totally eliminating holes in using sudo. Such as using rvim; forbidding "sudo su -"; using a different mail server without an escape character, etc. It may be combined with kernel auditing to audit all root commands. IMO, this is more likely the case for servers where an inflexible policy is more useful. The only difficulty I would have with Ubuntu is using redirection is more difficult. The > and < operators manipulate files with the privileges of the "sudo" command not the command you are running. |
Quote:
|
Quote:
Quote:
Quote:
|
Ubuntus horrable prompts remind me of windows vistas UAC
that i disabled the first day i feel restricted in ubuntu so i do not use it and i feel i have to warn other people about it |
This is an interesting thread. I very rarely login to root; preferring to do almost all maintenance activity with sudo. For me this works because I don't really do that much maintenance activity, and "command not found" or "must be root" (whatever the actual messages are) are enough to remind me to use sudo. This is good, because I don't accidentally do the infamous "rm -rf /". :)
Does it make my system less secure having "myuserid ALL=(ALL) ALL"? Probably. But, I don't have any open ports, so the risk is small on a home-user desktop. I can see that in a larger installation, or on a web-open install, I might want to set aside different sudo users for different maintenance activities; even if there was only just me. I'm not convinced that logging in to root is the right option, though. |
Quote:
|
All times are GMT -5. The time now is 07:30 PM. |