Regarding reason 1, you can configure sshd to block root from logging in remotely ("PermitRootLogin no" in /etc/ssh/sshd_config). I was surprised to see that this wasn't the default in some systems, but made sure to turn it on after I saw my first dictionary attack (and since).
Not that I disagree with any of your points, thought.
Pete
-----Original Message-----
From: CCP4 bulletin board on behalf of Konrad Hinsen
Sent: Tue 4/29/2008 5:04 AM
To: [log in to unmask]
Subject: Re: [ccp4bb] ccp4 install on Leopard
On Apr 29, 2008, at 11:25, Andreas Förster wrote:
> Why working with sudo is safer than working as root is not clear to
> me. After all, the danger is not in root but in the uneducated
> user. If you're paranoid, you can keep using sudo until you get
> stuck and then switch to root.
There are two reasons why it is safer to use sudo and not have a root
account:
1) A root account increases the risk of attacks from the outside.
Since the name of the account is known to everybody ("root"), an
attacker need only guess or steal the password. On a system
maintained through sudo, an attacker needs to guess/steal a) the
name of an administrator account with sufficient privileges and b)
the associated password.
2) With sudo, the precise rights for everyone can be defined in /etc/
sudoers. On a well-configured machine (which is of course a
theoretical ideal), no account would accumulate all the rights of the
root account. This would both reduce the risk of mistakes and the
risk of attacks from the outside.
On a machine without a root account, "sudo -s" will run a shell with
the user's sudo privileges, which should (at least on the perfectly
configured machine) be a good replacement for doing work normally
done under a root account.
Konrad.
--
---------------------------------------------------------------------
Konrad Hinsen
Centre de Biophysique Moléculaire, CNRS Orléans
Synchrotron Soleil - Division Expériences
Saint Aubin - BP 48
91192 Gif sur Yvette Cedex, France
Tel. +33-1 69 35 97 15
E-Mail: [log in to unmask]
Web: http://dirac.cnrs-orleans.fr/~hinsen/
---------------------------------------------------------------------
|