[nycbug-talk] A couple of security related questions
Isaac Levy
ike
Mon Oct 4 11:56:42 EDT 2004
Hi All,
A Darwin Tangent on this topic- sudo rocks,
On Oct 4, 2004, at 11:34 AM, Dave Steinberg wrote:
> chmod 500 /usr/bin/su
>
> And use caution with your sudoers file to make sure nobody can do
> 'sudo ksh' or use sudo to launch anything that can execute shell
> commands (vi, emacs, etc).
Darwin, by default, does not allow any user to directly su to root,
from a console, or otherwise. The root user 'is not enabled', and
therefore all root level access control is done via sudo. (the system
root user has no password)
Here's Apple's current official word on the subject:
http://developer.apple.com/qa/qa2001/qa1013.html
Here's some info on how to bypass this idea and enable root for your
Darwin box:
http://macosx.org/software/utilities/rootpass.html
--
That stated, it is basically manditory that users with root priviliges
use 'sudo csh' or 'sudo ksh' or 'sudo bash' or whatever shell, to get a
full root shell- but of course, this is strongly discouraged. I
personally feel this has been a strong positive decision from the
Darwin teams, made early on, insomuch as it requires application and
system design to adhere to sudo usage, which in the end, can be a MUCH
safer and saner way of working.
In the early days of Darwin, enabling root was somewhat necessary, but
after years of working with sudo now, I much prefer this way of
working, and don't enable root login via su on any mac I touch- desktop
or server.
I have also somewhat implemented this sort of policy once on a FreeBSD
server, with ok success. (by making the root shell /sbin/nologin )
--
With regard to root login, all you need to know for the ssh daemon is
in it's config file, usually in /etc/sshd_config .
Best,
.ike
More information about the talk
mailing list