[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cvs commit as root
From: |
Harry Putnam |
Subject: |
Re: cvs commit as root |
Date: |
Mon, 10 Dec 2001 11:26:21 -0800 |
User-agent: |
Gnus/5.090004 (Oort Gnus v0.04) Emacs/21.1 (i586-pc-linux-gnu) |
address@hidden (Larry Jones) writes:
[...]
> root is just another user as far as file ownership goes. If a file is
> owned by joe and readable only by the owner, then no one other than joe
> can read it (except for root) just like no one other than root can read
> a root-owned file that is readable only by the owner. When a file is
> readable only by the owner, there's no more or less security depending
> on whether that user is root or some other user.
I guess that is sort of true, but really its not quite right either.
I would expect `roots' password to be carefully selected so that the
likes of `john the ripper' wouldn't crack it easily. One thing I
would expect a script kiddy to do is try to crack the password file.
May not really be much of a problem with md5 passwords and shadow
files but I once applied `john the ripper' to an older FreeBSD
/etc/master.passwd on a machine with about 2000 users and had 1200
working passwords in about 15 seconds. Many of them were what is
sometimes called `joe joe' passwords (user and passwd are the same).
So may not be a fair comparison. Plus I alread had root, just to get
to the master.passwd file.
>> Further, if files on the local machine's checked out module are under
>> root protection then an `update' by `joe' wouldn't overwrite them
>> would it?
>>
>> Or if Joe tries to check out a module when in / or some other root
>> only directory, he won't be able to right?
>
> In this case, you are still running as root on the local machine; you're
> only running as joe on the server machine.
Oh yeah, of course, that would be the case on the local
machine... What was I thinking..?
>> One last thing that doesn't seem to add up here. If suing with no `-'
>> is ok for cvs how is not ok as `su -'. Seems the same kind of
>> problems would obtain in either case.
>
> Because a simple `su' just changes your current user-ID. `su -' goes
> out of its way to make it look exactly like you logged in as the other
> user which generally prevents CVS from finding out who you really did
> log in as.
OK, I see how it would effect records inside cvs but, what I really
meant was how does it make security problems any better or worse?
That is, if sued with no `-' or not. In either case problems related
to security would be the same wouldn't they?
Thanks for the informative discussion.
- Re: cvs commit as root, (continued)
- Re: cvs commit as root, Harry Putnam, 2001/12/08
- Re: cvs commit as root, Harry Putnam, 2001/12/08
- Re: cvs commit as root, Harry Putnam, 2001/12/08
- Re: cvs commit as root, Ralph Mack, 2001/12/09
- Re: cvs commit as root, Ralph A. Mack, 2001/12/09
- Re: cvs commit as root, Harry Putnam, 2001/12/10