[techtalk] Re: techtalk digest, Vol 1 #445 - 11 msgs

Raven ni Rosemary damask0 at yahoo.com
Sat May 12 08:41:35 EST 2001 

Heya --

>> But again, if it is a 'recovery thing' where is the documentation? 
>> Why wasn't it clearly in the manual?
> 
> Which manual?  There is no "Linux manual" per se.  It depends on how
> well the individual distro documents things and writes their manual. 


     Quite.  Also, you can't expect to get all sysadmin wisdom from the
manual.  I certainly encourage reading the documentation -- it will
find you answers to the most common problems, and some of the uncommon
ones as well.  But there are also many cases where you'll encounter a
strange misconfiguration or issue that isn't in the manual.  That's one
of the reasons why Linux mailing lists and user groups are so popular. 
There's a big difference between reading the books and actually
maintaining a system.  Ideally, you get some of both.

>> Why bother having passwords if anybody can get around them?  Don't
>> you think that by putting encrypted passwords on a computer one 
>> would be led to believe that a password was needed to gain entry?  

     I think the point is that not anybody can get around them.  The
machine should either be stored in a place that is physically
inaccessible to those who shouldn't be using it, or (for example, if
it's a desktop system and you don't trust those you live with) locked
down with BIOS passwords, LILO passwords, and sudoers to track who has
with extra privileges and what they're doing (that's what /etc/sudoers
is for).

>> Especially since linux makes such a big deal about how secure it is.
> 
> You are *way* off base here.  Linux is about as secure as any OS out
> there. 

     Okay, small pet rant here.  Linux can be made to be incredibly
secure.  Many distributions ship that way (TurboLinux, Debian).  Others
ship more with ease of use in mind (Red Hat) than security by default. 
But any Linux advertising stuff that I've seen either claims that it
can be made secure, or that it ships secure *for that particular
distribution or product*.  Not that all Linuxes are the most secure
thing ever.  The only OS that I have seen that makes that sort of broad
claim is BSD, which ships with everything locked down by default.  (But
it takes a knowledgable sysadmin to turn on necessary services and get
it to work.)

     And maintaining a secure system takes work.  You can't install Red
Hat's Server straight out of the box, never disable unneeded services
or patch anything, and expect that you have perfect security.  Most
security-conscious sysadmins read Bugtraq or CERT advisories, keep up
with the holes found in the software they're running (Bind and Sendmail
in particular are notorious for this), and deliberately run security
audits on their boxes on a regular basis.  Security-consciousness is an
ongoing mindset, if you're really that concerned about it.

> All have this feature, which, as someone pointed out, is absolutely a

> requirement to recover a system where the root password has been 
> lost. 

     Or compromised.  A fine example of the above security rant is the
Lion worm.  It uses an exploit in versions of Bind older than 8.2.3. 
That exploit has been known, published on Bugtraq and CERT, and patches
have been available for months.  Sysadmins running Bind who kept up on
their security patching were not affected.  But some old versions of
Red Hat Server install a vulnerable version of Bind by default and the
sysadmins never bothered to check that, update it, or shut it off.  So
their boxes got rootkitted.

     I got to do cleanup on some of those boxes.  Linux single was
absolutely invaluable, since the root password had been changed on two
of the three boxes I saw.  (Of course, as previously mentioned we could
also have yanked the hdd or booted from floppy.)

>> But if all your neighbors had a pass key to your house when you
>> bought it and you were not told about it wouldn't you feel a bit 
>> violated?

     This is a common last-ditch bailout for many Unix and Unixlike
systems.  Solaris has something like it.  So does AIX.  Even Cisco
routers have a password recovery procedure.  (IOS is Unix-like.)  It's
built into most Unixlike production machines that I know of.  You may
not have encountered the procedure before, but it's really common, and
sysadmins use it all the time.

Cheers,
Raven

=====
"Being powerful sucks. I will brood."
 -- Rand al'Thor, in the Ultra-Condensed Path of Daggers
    http://www.rinkworks.com/bookaminute/b/jordan.path.shtml

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

More information about the Techtalk mailing list