su: blacklist users

[Chong Yu Meng]

On Fri, 2006-05-26 at 19:24 -0600, Michael Hipp wrote:

> > Using sudo for "limited" access DOES NOT WORK, don't listen to Tim.
> > 
> > sudo can be used to grant full root access but nothing less so don't assume it
> > does.  That said, if you're in a small single-user environment (e.g. at
> > home), sudo can be used to make admin tasks easier, like editing config files
> > or installing packages.  Do not do that in multi-user environments.  Please.
> 
> Can you elaborate? Is sharing the root password among multi users somehow preferable to using sudo? Or is there some third alternative?
>  

My feeling is that we need to approach this from another angle: security
is a process, not the quest for some silver bullet that does not exist.
There are ways to crack sudo and there are (valid) concerns about giving
su privileges to anyone besides yourself or the administrator of the
system. Anybody who has ever administered any public server would have
horror stories to share about any aspect of security or proper
practices. 

My approach to security is to have enough layers and complexity to delay
the hacker/cracker long enough for my people or systems to detect
him/her/them and then take remedial action. Of course it would be great
if you can stop such attacks completely, but I don't think that can ever
happen.


-- 
Pascal Chong
email:  chongym at cymulacrum.net
web:    http://cymulacrum.net

"We can lick gravity, but sometimes the paperwork is overwhelming."
-- Wernher von Braun
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.linux-sxs.org/pipermail/linux-users/attachments/20060527/d4834eca/attachment.pgp