[ale] Running stuff as root == bad, was Re: FC13 question

Scott McBrien smcbrien at gmail.com
Sat Jul 31 12:51:40 EDT 2010


That's all well and good if you want to make your own policy, but on RHEL, CentOS, and Fedora, root runs as an unconfined user, so for the most part they can still mangle whatever they want.  "Learn SELinux" is simplifying A LOT.

-Scott

On Jul 31, 2010, at 12:29 PM, Jim Kinney <jim.kinney at gmail.com> wrote:

> Learn selinux.
> 
>> On Jul 31, 2010 12:14 AM, "Michael Trausch" <mike at trausch.us> wrote:
>> 
>> The big thing, yes, is that running everything as root defeats the whole sandboxing that you get by running as a normal user---or even running things as multiple, different users.
>> 
>> With the complexity of today's software (necessarily or not) being what it is, I can't say that I would run much of anything as the root user. For that matter, I don't, even on the command line. The only root privilege I retain for myself is the use of sudo, which I nearly always call as "sudo -u $NEEDED_USER $CMD". That way, if I screw something up, I have a command to show for it in the system logs.
>> 
>> I would personally like to see "POSIX" capabilities in wider use then they are. I think it is great to have such a versatile kernel-enforced privilege mechanism, and useful to take away all the special powers of UID 0.  Although I don't think that it is at all as fine-grained as it could be without add-ons, and all of the add-ons that I know of pretty much suck.
>> 
>> Anyway, just my 2 cents. The more permissions are isolated and enforced by a kernel (which can often use hardware to provide the enforcement), the better contained things such as breakins or simply rogue users are. Not saying that would be a nirvana, but it would be a big help, I think. Especially when you do things like put syslog on the network without any permission but INSERT. Of course now I am talking about something way more complex than I wager most of us want to do at home...
>> 
>> --
>> Sent from my HTC Dream---Running Froyo!
>> Thanks, @cyanogen!
>> 
>> 
>> >
>> > On Jul 30, 2010 7:59 PM, "scott mcbrien" <smcbrien at gmail.com> wrote:
>> > One of the big problems ...
>> 
>> 
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100731/49f31ac4/attachment-0001.html 


More information about the Ale mailing list