Mailinglist Archive: opensuse (2700 mails)

< Previous Next >
Re: [SLE] setting multiple user id to 0 (zero) is bad ! Why?
  • From: John Scott <praiserock@xxxxxxxxx>
  • Date: Thu, 30 Jun 2005 22:54:26 -0400
  • Message-id: <33cb97920506301954ebb3a1e@xxxxxxxxxxxxxx>
On 6/30/05, Chadley Wilson <chadley@xxxxxxxxxxxx> wrote:
> Greetings,
> Friends, I am in a situation with my one clients who use - (Yes that one
> again!!), uucp.
> Now their previous techies set all the user id's for the system to 0 (zero)
> Oh! and all the GID's as well.
> Now I have come in and had to fix this, but I get resistance.
> I have only one good reason why not to right now,
> with uucp on one site all the files are transfered but not removed from the
> queue, only when I set the user id to 14 (IIRC) and the GID to 512, and of
> course changed all the on the relevant configs and files, would it clean the
> remote queue.
> This reason however has been flawed as we have other sites that work properly
> with all the UID's and GID's set to 0 (zero).
> I need more reasons, explaining how this affects the system integrity, and
> functionality, the trick here is they don't give two hoots about the security
> aspect. So to win my case professionally and cleverly, I ask for real
> opinions and reasons.
> Could you please assist.
> --
> --
> Chadley Wilson
> Production Line Superintendant
> Pinnacle Micro
> Manufacturers of Proline Computers
> ====================================
> Exercise freedom, Use LINUX
> =====================================

The moment they get a letter in the mail from the ISP and/or lawyer
informing them that their server contains copyrighted material,
questionable content, etc, etc, they'll care. And all the we didn't
know won't help bad PR in the news. Especially when the news reports
that it was due to sloppy and lazy security practices. Of course,
they'll try to blame someone else, "It's the consultant's fault.", so
get some CYA documentation with signatures and a few emails for added
weight and evidence to at least absolve yourself if/when it hits the
fan. Oh, and gently remind them that around 80 percent (last I
checked anyway) of all security breaches take place inside, not
outside, the company network; and then ask just how important the data
is to the company and its revenue. Would the cost of lost data (maybe
the next big widget or gizmo that makes millions) be more that the
cost of proper security best practices? Is it worth losing a
competitive edge to your competition? Black hats don't waste time
with website defacements anymore. Corporate espionage is big
business. If the black hat owns the server, he owns the data and is
free to bend the contents of the data to his amusement, or sell it or
make it available to whom he pleases.


< Previous Next >