Mailinglist Archive: opensuse-factory (602 mails)

< Previous Next >
Re: [opensuse-factory] Re: [PLEASE SPEAK UP] Disabling legacy file systems by default?
On 2/12/19 3:15 PM, Michal Kubecek wrote:
...which is why people end up doing crazy things like "sudo su -". And,
voilà, they have a root shell anyway, except all they needed was the
regular user's password. That's supposed to be the security improvement,
having to write "sudo su -" rather than just "su -"?

``sudo -s'' is the easier way.

This is an example of a pragmatic improvement.

That's no improvement.

I proceeded to list 3 ways it was an improvement. Rather than address
them, you've made fun of them.

This means that you are actually _acting out_ the "not invented here"
syndrome I was specifically addressing, you know that?

Use the same password for your regular user and root account then. You
will also have "only one password to remember" and about the same level
of "security" as in Ubuntu.

Points missed:
* 2 passwords to keep in sync
* keeps an active root account available to be 0wned
* causes user confusion over which password is needed/works where

Greater point missed: do you seriously think that the huge team of
skilled engineers at the biggest computer company in history missed
these points when they implemented this idea? Do you think you're
smarter than everyone at Apple?

Or did you forget that this was not an Ubuntu innovation, it was an
Apple one, which Ubuntu copied? Perhaps you were distracted by the
chance to take some cheap shots at a rival distro. Suggestion: don't do
that.

How exactly? By forcing you to type those 5 extra characters?

If there's no root account available, you can't log in as it. This is
not a hard point to understand.

Up to Vista, in the Win NT family, on standalone machines, it was normal
practice to log in as the administrator and use the machine that way.
This was a terrible idea, but it was needed for a lot of software from
the Win9x world to work, so that's what hundreds of millions of people
were used to.

Except that there is regular user password which is sufficient to do
anything so that the attacker does not need the root password and can
"find out, social engineer, whatever" that one.

There is anyway. No real loss. But whereas a hacker knows the name of
the root account because it's the same on almost all Unix machines, they
don't know the username of the current owner/user.

Again, this is simple, obvious stuff. I don't know why you are trying to
make fun of these simple points, but if it is so that you look clever
doing so, I warn you that it's not working.

Ever heard "For each complicated problem, there is an elegant, simple
and easy to understand solution which has only one tiny weaknes: it does
not actually solve the problem."?

A more general lesson:

[1] "Those who cannot remember the past are condemned to repeat it." --
George Santayana
[2] "Those who do not understand UNIX are condemned to reinvent it,
poorly." -- Henry Spencer



--
Liam Proven - Technical Writer, SUSE Linux s.r.o.
Corso II, Křižíkova 148/34, 186-00 Praha 8 - Karlín, Czechia
Email: lproven@xxxxxxxx - Office telephone: +420 284 241 084


--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
This Thread
Follow Ups