lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 11 Nov 2012 12:38:50 -0500
From: Jerry Bell <jerry@...kologist.com>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: TTY handling when executing code in
	lower-privileged context (su, virt containers)

There are a few things to consider from my experience: 

1. It's easy to say "don't use weak passwords", however unless you're using some 2 factor system or systematically forcing random passwords, people are generating the passwords, and history tells us that most people are very bad at that task. 

2. Most organizations institute lockout policies for normal user accounts, so generally even a weak user password can't be guessed within 5 or 10 tries. However, root can't generally be locked out, so they are open to brute force attacks. I have first hand experience responding to incidents that resulted from root being successfully brute forced. 

3. The concept of individual accountability is becoming increasingly important for many organizations. This doesn't matter much in some, particularly small, environments, but in a setting with dozens or hundreds of administrators, it is quite important. SUDO is about the only effective way of enabling large numbers of admins to operate on a system while maintaining accountability.  It is not bullet proof, but it is a quite effective solution generally. 

So, I am genuinely curious - how does blocking root logins and requiring SUDO weaken a system?  I definitely have a lot to learn, and I feel like I am missing something. 

Regards,

Jerry



On Nov 10, 2012, at 1:30 PM, Michal Zalewski <lcamtuf@...edump.cx> wrote:

>> I think you've taken that far too literaly. My understanding of it is to
>> protect against a) brute force retardation b) dumb attackers.
> 
> The advice weakens the security of your system, because it means I
> just need to compromise your unprivileged account (in which you run
> your browser, mail client, and so on) to own the entire box.
> 
> As for the benefits, care to elaborate? I'm not sure what a) and b)
> really mean. If you're worried about brute-force, don't use trivial
> passwords. If you worry about opportunistic attacks, do that and then
> patch your stuff every now and then.
> 
> /mz
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists