Hi, I'm risking the most stupid question of the year, but I do it anyway. I often hear things like "If you ever link to the internet as root you are asking for a world of hurt". Could anyone please explain what excactly can happen (and im not talking about my own stupidities) when I'm connected to the Internet as root? Sander Jerry L Kreps wrote:

Ben Cuthbert wrote:

...

Does anyone know how i can give myself root permissions on my linux box.

bec i have used Yast and put me in the root users group but it does not give me the permissions

You don't want to do that... it is a big security hole! You can su to root from either the user command line or an xterm and do what every you wish. When you are done 'exit' will close the root 'window' and you are back to being just a user again. Running with root permission will lead to disaster because you will get causal and careless and destroy your system. You only want to be in root to do *specific* things, then exit back to a user. If you ever link to the internet as root you are asking for a world of hurt. JLK

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/

********************************************************************** Disclaimer This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Azlan Holdings bv and/or subsidiary. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error please notify Azlan Holdings MIS Helpdesk by telephone on +31 (0) 79 3443200. ********************************************************************** -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/

Sorry, but this isn't the answer I hoped for. When someone comes into my house, because I left the front-door wide-open, in know the cause (front-door wide open), the weak spot (it was open) and the results (credit cards etc. gone). In this case anyone knows exactly that the week spot is my door being open. It isn't obvious to me that my being logged in as root is a week spot. (BTW: This actually happended to me one night, lucky me, who lives in a honest village of God-fearing people, nothing was stolen.) Another example: If I log in to a Novell Netware 3.11 server, using the account supervisor, I know someone can use this account, because of a security-leak which was solved with packet signature. What I'dd really like to know is: what can one do, because I am logged in as user root, how do they do it (e.g. what weakness in this root-account are they using), and what can be the results. And I'm especially curious how my being logged in as user root relates to other security-measures I applied to me system, like hosts.allow and hosts.deny, only relevant and secure services enabled in inetd.conf, a nice securetty file and of course a password different than my wive's first name. Sander ----- Original Message ----- From: "Jerry L Kreps" To: "Sander van Vugt" Cc: Sent: Tuesday, March 07, 2000 12:55 PM Subject: Re: [SLE] Making yourself have root permissions

Sander van Vugt wrote:

...

Hi,

I'm risking the most stupid question of the year, but I do it anyway. I often hear things like "If you ever link to the internet as root you are asking for a world of hurt".

Could anyone please explain what excactly can happen (and im not talking about my own stupidities) when I'm connected to the Internet as root?

Sander

Would you go off to work and leave the front door of your home open, with a sign on the door that says "Come on in, steal everything I have, my credit cards, my jewels, my stereo and tv, then burn the place down. My insurance doesn't care because it won't cover it."

That's what is would be like connecting to the internet as root, except that you don't have to 'go to work'. You can be on your PC typing aways, as I am now, and some cracker could take control of your PC and do the what I mentioned above. Even though SuSE does a good job of installing a relatively safe system, running as root is a bad, bad thing to do, even if you don't connect to the Internet. JLK

********************************************************************** Disclaimer This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Azlan Holdings bv and/or subsidiary. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error please notify Azlan Holdings MIS Helpdesk by telephone on +31 (0) 79 3443200. ********************************************************************** -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/

I'm sorry to be a pain-in-the-ass, but if I understand it correctly, the only downside of being logged in as root, is that I might be sleepy and do something stupid to myself. I still don't see the security risk in relation to potential hackers, like there was, for example in Netware 3.11. ----- Original Message ----- From: "Dennis Soper" To: Cc: "Sander van Vugt" Sent: Tuesday, March 07, 2000 4:30 PM Subject: Re: [SLE] Making yourself have root permissions

On 7 Mar 00, at 13:28, Sander van Vugt wrote:

...

Sorry, but this isn't the answer I hoped for. When someone comes into my house, because I left the front-door wide-open, in know the cause (front-door wide open), the weak spot (it was open) and the results (credit cards etc. gone). In this case anyone knows exactly that the week spot is my door being open. It isn't obvious to me that my being logged in as root is a week spot.

Think of this command-- rm -rf ./ -- now suppose you are logged in as yourself, only you have root privileges, and execute this command. Now, suppose you've been at the keyboard for hours, are a bit frazzled, and you're not in the directory you've assumed you're in, after all everyone makes mistakes....

Cheers, Dennis "Custard pies are a sort of esperanto: a universal language." --Noel Godin

********************************************************************** Disclaimer This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Azlan Holdings bv and/or subsidiary. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error please notify Azlan Holdings MIS Helpdesk by telephone on +31 (0) 79 3443200. ********************************************************************** -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/

Thanks a lot, now I don't only know that, by I also know why. ----- Original Message ----- From: "Jon Pennington" To: "Sander van Vugt" ; ; Sent: Tuesday, March 07, 2000 4:50 PM Subject: Re: [SLE] Making yourself have root permissions

On Tue, 07 Mar 2000, Sander van Vugt wrote:

...

I'm sorry to be a pain-in-the-ass, but if I understand it correctly, the only downside of being logged in as root, is that I might be sleepy and do something stupid to myself. I still don't see the security risk in relation to potential hackers, like there was, for example in Netware 3.11.

Okay, for instance; there are known bugs in ircii-based IRC clients (ircii, epic, BitchX, others) that would allow a foreign host to gain root access to your system when said client is attached to an IRC server as root. ircii's greatest strength is it's highly scriptable architecture, and it used to be as simple as a Tcl or PERL script that would allow your nemisis access to your own box. Don't IRC as root.

Numerous applications have similar security holes that simply haven't been found yet. Consider for a moment all of the bugs that old FTP servers and old Sendmail's had; part of the problem was the fact that they were running the daemon as root, instead of a privelaged user. An assailant writes a bit of C to attach to the FTP daemon, causes a buffer overrun (the most common type of attacks these days), the daemon/application dies unexpectedly, and *!violla!* Root shell. Read some Usenet one of these days; it'll be an eye-opening experience. As a matter of fact, SuSE hosts an excellent (if slow) Security related list. That makes for good reading, too ;).

-- -=|JP|=- Jon Pennington | Atipa Linux Solutions -o) jpennington@atipa.com | Kansas City, MO /\\ 816-241-2641 x121 | http://www.atipa.com _\_V

********************************************************************** Disclaimer This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Azlan Holdings bv and/or subsidiary. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error please notify Azlan Holdings MIS Helpdesk by telephone on +31 (0) 79 3443200. ********************************************************************** -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/

Sander van Vugt wrote:

Sorry, but this isn't the answer I hoped for. When someone comes into my house, because I left the front-door wide-open, in know the cause (front-door wide open), the weak spot (it was open) and the results (credit cards etc. gone). In this case anyone knows exactly that the week spot is my door being open. It isn't obvious to me that my being logged in as root is a week spot.

Oh, you want a technical answer... Do a ps aux from the command line or use KTop to look at all of the services you have running on your box. Do you see a couple of services marked 'httpd'?? That is the http deamon, which is running in memory and has attached itself to port 80 and listens for clients on that port. (You can view /etc/services to see all the port numbers and what services are attached to them.) Some pimple-faced anti-social script kiddie downloads some 'tools' from a cracker site and runs them. He scans the ports on your box and make connections with your port 80. Or perhaps your ftpd port. Then he transfers some trojan software to your box and and runs it. Or, he opens up a remote terminal on your box. You are running as root, so that means he is too. If you were running as a user the cracker would have to try and break into the root account in order to take over your box. That is above the abilities of most script-kiddies. Failing that, the best the script-kiddie can do is destroy your account and account files, after he robs you blind. The trojan software, usually with names identical to Linux system utilities like 'ls', will do what you would think 'ls' would do, but it has additional capabilities: emailing your password file back to the script-kiddie, stealing your personal info, or just doing malicious damage. Do you have cookies in your netscape subdirectory that perhaps contains your credit card numbers? Well, I hope you get the idea. Never run your system as root, even if you never connect to the internet... remember Jon's story of the tired user who executes the rm command and blows his entire directory structure away? JLK -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/

LOL; perhaps it's not as simple as making a connection to the box and walking in `the front door', as Jerry put it, but it's certainly unwise. Anyway, why are you asking? Why would you log in as root unless you are doing *system*administration*? The root account (AKA Super User account) is *ONLY* for system administration when a privelaged user is not enough. Any time you use the root account, you're asking for real trouble, with or without an Internet connection.

You're perfectly right when you say that you only have to log in as root to do system administration, I totally agree, but the reason I am asking is that some people say you make it easy for a cracker to abuse your system when you are logged in as root and I have never heard any reasons why exactly that is so. Yes, I know you can do some really stupid things to your own system when you have to many rights on it, but it simply seems like a *myth* that my system is easier to hack when I'm logged in as root, so please, if it can be done, give me examples of *how* my system can be hacked then. As for why I'm asking? I consider Linux a good and secure system (if configured the right way), and I really like to know about weak point. Being logged in as root which gives more opportunities for the hacker seems a weak point to me. Luckily, I didn't hear anyone explain as for now where exactly this weak point exists and how a hacker can abuse it. Sander ********************************************************************** Disclaimer This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Azlan Holdings bv and/or subsidiary. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error please notify Azlan Holdings MIS Helpdesk by telephone on +31 (0) 79 3443200. ********************************************************************** -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/

..or am I being paranoid. Hi People. I run SuSE 6.3 on one box, and Mandrake 7 on another. This incident occured on my Mandrake. I sent a HUP sig to inetd, so I don't know if this is the cause of it - I also created a new user (users group) just before. And for some reason, printing from this box, to my SuSE server produced a segmentation fault (in the lpd spool logs on SuSE server). Don't know if its related... In addition, root received mail on Mandrake (after this incident), with security warning subjects (I hardly ever check root's mail - there was mail from a month ago, at the exact same time, of a similar problem..) I only checked the logs after experiencing(hearing) extremely heavy disk activity. Any help greatly appreciated. /var/log/messages: Mar 8 00:03:10 jo300 : Security Warning: Change in Suid Root files found Mar 8 00:03:10 jo300 : - Added suid root files : /bin/mount Mar 8 00:03:10 jo300 : - Added suid root files : /bin/ping Mar 8 00:03:10 jo300 : - Added suid root files : /bin/su Mar 8 00:03:10 jo300 : - Added suid root files : /bin/umount Mar 8 00:03:10 jo300 : - Added suid root files : /home/vscan/BIN/EMSCAN.DA_ Mar 8 00:03:10 jo300 : - Added suid root files : /sbin/pwdb_chkpwd Mar 8 00:03:10 jo300 : - Added suid root files : /usr/X11R6/bin/Xwrapper Mar 8 00:03:10 jo300 : - Added suid root files : /usr/X11R6/bin/imwheel-solo Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/at Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/chage Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/chfn Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/chsh Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/crontab Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/dos Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/gpasswd Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/kppp Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/lpq Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/lpr Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/lprm Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/newgrp Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/passwd Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/procmail Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/rcp Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/rlogin Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/rsh Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/sperl5.00503 Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/ssh1 Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/suidperl Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/urpmi Mar 8 00:03:10 jo300 : - Added suid root files : /usr/bin/vboxbeep Mar 8 00:03:10 jo300 : - Added suid root files : /usr/libexec/pt_chown Mar 8 00:03:10 jo300 : - Added suid root files : /usr/sbin/sendmail Mar 8 00:03:10 jo300 : - Added suid root files : /usr/sbin/suexec Mar 8 00:03:10 jo300 : - Added suid root files : /usr/sbin/traceroute Mar 8 00:03:10 jo300 : - Added suid root files : /usr/sbin/userhelper Mar 8 00:03:10 jo300 : - Added suid root files : /usr/sbin/usernetctl Mar 8 00:03:10 jo300 : Mar 8 00:03:10 jo300 : Security Warning: Change in World Writeable Files found Mar 8 00:03:10 jo300 : - Added writables files : /home/antivir/INSTALL.DAT Mar 8 00:03:10 jo300 : - Added writables files : /home/vscan/BIN/EMSCAN.DA_ Mar 8 00:03:10 jo300 : Mar 8 00:03:10 jo300 : Security Warning: the following files aren't owned by an user : Mar 8 00:03:10 jo300 : - Removed un-owned files : /home/w3mir-1.0.8 Mar 8 00:03:10 jo300 : - Removed un-owned files : /home/w3mir-1.0.8/Artistic and around 8000 other 'un-owned files' were listsed, and removed.. (including many files in /usr/local/mysql, /usr/local/httpd and /usr/local/src - and yes, the kernel soures as well..) Mar 8 00:06:02 jo300 : Mar 8 00:06:02 jo300 : Security Warning: There is modifications for port listening on your machine Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:7101 *:* LISTEN 6104/xfstt Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:982 *:* LISTEN 5887/rpc.mountd Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:977 *:* LISTEN 5887/rpc.mountd Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:mysql *:* LISTEN 2509/ Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:printer *:* LISTEN 1481/lpd Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:www *:* LISTEN 743/httpd Mar 8 00:06:02 jo300 : - Opened ports : tcp 0 0 *:996 *:* LISTEN 393/ Mar 8 00:06:02 jo300 : - Opened ports : udp 0 0 *:980 *:* 5887/rpc.mountd Mar 8 00:06:02 jo300 : - Opened ports : udp 0 0 *:975 *:* 5887/rpc.mountd Mar 8 00:06:02 jo300 : - Opened ports : udp 0 0 *:994 *:* 393/ Mar 8 00:06:02 jo300 : - Opened ports : udp 0 0 *:948 *:* 347/ Mar 8 00:06:02 jo300 : - Closed ports : tcp 0 0 *:6000 *:* LISTEN 572/X Mar 8 00:06:02 jo300 : - Closed ports : tcp 0 0 *:7101 *:* LISTEN 469/xfstt Mar 8 00:06:02 jo300 : - Closed ports : tcp 0 0 *:996 *:* LISTEN 393/rpc.statd Mar 8 00:06:02 jo300 : - Closed ports : tcp 0 0 *:964 *:* LISTEN 357/rpc.mountd Mar 8 00:06:02 jo300 : - Closed ports : tcp 0 0 *:959 *:* LISTEN 357/rpc.mountd Mar 8 00:06:02 jo300 : - Closed ports : udp 0 0 *:994 *:* 393/rpc.statd Mar 8 00:06:02 jo300 : - Closed ports : udp 0 0 *:962 *:* 357/rpc.mountd Mar 8 00:06:02 jo300 : - Closed ports : udp 0 0 *:957 *:* 357/rpc.mountd Mar 8 00:06:02 jo300 : - Closed ports : udp 0 0 *:948 *:* 347/rpc.rquotad Mar 8 00:06:10 jo300 : Mar 8 00:06:10 jo300 : Security Warning: World Writeable files found : Mar 8 00:06:10 jo300 : - /home/antivir/INSTALL.DAT Mar 8 00:06:10 jo300 : - /home/vscan/BIN/EMSCAN.DA_ Mar 8 00:06:10 jo300 : - /usr/share/apps/kpacman/highScore Mar 8 00:06:10 jo300 : - /var/lib/linpopup/messages.dat Mar 8 00:06:10 jo300 : - /var/lib/texmf/ls-R Mar 8 00:06:10 jo300 : Mar 8 00:06:10 jo300 : Security Warning: these home directory should not be owned by someone else or writeable : Mar 8 00:06:10 jo300 : user=mysqladmin : home directory is owned by mysqladm. Regards, Jason. -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/

Thanks to all for your extensive explanations. I'm happy, because I understand now. Before it was like my dad telling me not to do xyz. I asked why, he told me "because it is bad". So I did it anyway, until the day he could explain to me why exactly it was bad. Ciao, Sander ********************************************************************** Disclaimer This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Azlan Holdings bv and/or subsidiary. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error please notify Azlan Holdings MIS Helpdesk by telephone on +31 (0) 79 3443200. ********************************************************************** -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/

My personal beliefs are that someone is trying to break into a system, and figured we'd give good hacking advice. I definitely have to say, if this is the case than they should go somewhere else.

I'm really disappointed you think that as it is certainly *NOT* the case. But if that's what you think, I say thanks for nothing, I won't continue this thread anymore. ********************************************************************** Disclaimer This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Azlan Holdings bv and/or subsidiary. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error please notify Azlan Holdings MIS Helpdesk by telephone on +31 (0) 79 3443200. ********************************************************************** -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/