Is a terminal running as root a security risk?
This is a discussion on Is a terminal running as root a security risk? within the Linux Security forums, part of the System Security and Security Related category; I am always trying something new. I gave Suse Linux a try because it is a good desktop, but was ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-17-2006
|
|||
|
|||
Is a terminal running as root a security risk?
I am always trying something new. I gave Suse Linux a try because it is a
good desktop, but was hobbled. My OS is Mandriva 2006 with KDE. I usually run 3 copies of Konsole, and one is usually logged in as root for convenience. Would this take away the isolation of my user account which is the strong point of Linux? Doug. -- I'm only a beer teetotaller, not a champagne teetotaller. - G.B. Shaw. 
|
|
06-17-2006
|
|||
|
|||
|
Re: Is a terminal running as root a security risk?
Doug Laidlaw <laidlaws@dougshost.invalid> (06-06-17 10:26:50):
> I usually run 3 copies of Konsole, and one is usually logged in as > root for convenience. Would this take away the isolation of my user > account which is the strong point of Linux? Well, that's pure logic. If you always have a root console open, then your root account is only as secured as your normal user account, i.e. if you don't use screen locking, when you're away from the keyboard, then everybody has root access. If you do use screen locking, then your root account is bound to the security of the lock (e.g. the strength of the password of your normal user account). Different story for remote attackers. Theoretically an open root console does not give a remote attacker access to it. But again, as said, if you leave it open all the time, then it's only as secure as your normal account. Remember, if the attacker gains access to your normal user account, then they also have access to your Konsole instance. If you really need the root shell that often, then something is wrong with your system (and security) concept. You should only need it for system administration (like globally installing packages or changing the timezone). However, there are seldom cases, where you can't get around needing to use the root shell frequently. In that case, I would recommend either using sudo (if that's not much of an inconvenience), or setting a shell timeout. I'm using zsh [1] as my shell, and it features the TMOUT parameter. The root shell times out after 15 minutes, when I don't use it. By the way, that's also useful for getting rid of stalled SSH sessions. Most other (non-minimalistic) shells feature something similar. Regards, E.S. --- [1] http://www.zsh.org/
|
|
06-17-2006
|
|||
|
|||
|
Re: Is a terminal running as root a security risk?
On 2006-06-17, Doug Laidlaw wrote:
> I am always trying something new. I gave Suse Linux a try because it is a > good desktop, but was hobbled. My OS is Mandriva 2006 with KDE. > > I usually run 3 copies of Konsole, and one is usually logged in as root for > convenience. Would this take away the isolation of my user account which > is the strong point of Linux? No, there is no problem with that. The only problem is if you are tempted to use the root konsole when it is not necessary. -- Chris F.A. Johnson, author <http://cfaj.freeshell.org> Shell Scripting Recipes: A Problem-Solution Approach (2005, Apress) ===== My code in this post, if any, assumes the POSIX locale ===== and is released under the GNU General Public Licence
|
|
06-18-2006
|
|||
|
|||
|
Re: Is a terminal running as root a security risk?
Ertugrul Soeylemez wrote:
> Doug Laidlaw <laidlaws@dougshost.invalid> (06-06-17 10:26:50): > >> I usually run 3 copies of Konsole, and one is usually logged in as >> root for convenience. Would this take away the isolation of my user >> account which is the strong point of Linux? > > Well, that's pure logic. If you always have a root console open, then > your root account is only as secured as your normal user account, > i.e. if you don't use screen locking, when you're away from the > keyboard, then everybody has root access. If you do use screen locking, > then your root account is bound to the security of the lock (e.g. the > strength of the password of your normal user account). > > Different story for remote attackers. Theoretically an open root > console does not give a remote attacker access to it. But again, as > said, if you leave it open all the time, then it's only as secure as > your normal account. Remember, if the attacker gains access to your > normal user account, then they also have access to your Konsole > instance. > > If you really need the root shell that often, then something is wrong > with your system (and security) concept. You should only need it for > system administration (like globally installing packages or changing the > timezone). > > However, there are seldom cases, where you can't get around needing to > use the root shell frequently. In that case, I would recommend either > using sudo (if that's not much of an inconvenience), or setting a shell > timeout. I'm using zsh [1] as my shell, and it features the TMOUT > parameter. The root shell times out after 15 minutes, when I don't use > it. By the way, that's also useful for getting rid of stalled SSH > sessions. Most other (non-minimalistic) shells feature something > similar. > > > Regards, > E.S. > > > --- > > [1] http://www.zsh.org/ Thanks. I am a home user and my wife is the only other person in the house. She has her own computer running XP, and wouldn't know about Linux. In addition, I am living in an aged people's village. Very few here are computer-literate. My only concern was vulnerability to online hacking. Doug. -- Imagine all the people living for today. - John Lennon.
|
|
06-18-2006
|
|||
|
|||
|
Re: Is a terminal running as root a security risk?
Doug Laidlaw <laidlaws@dougshost.invalid> (06-06-18 13:44:30):
> Thanks. I am a home user and my wife is the only other person in the > house. She has her own computer running XP, and wouldn't know about > Linux. In addition, I am living in an aged people's village. Very > few here are computer-literate. My only concern was vulnerability to > online hacking. I'd strongly advise you to never leave security holes open out of trust. At least lock your screen, when you're away. Regards, E.S.
|
|
06-19-2006
|
|||
|
|||
|
Re: Is a terminal running as root a security risk?
Ertugrul Soeylemez <never@drwxr-xr-x.org>:
> Doug Laidlaw <laidlaws@dougshost.invalid> (06-06-18 13:44:30): > > > Thanks. I am a home user and my wife is the only other person in the > > house. She has her own computer running XP, and wouldn't know about > > Linux. In addition, I am living in an aged people's village. Very > > few here are computer-literate. My only concern was vulnerability to > > online hacking. > > I'd strongly advise you to never leave security holes open out of > trust. At least lock your screen, when you're away. Recently, a young woman here was busted for trolling old folk's villages for money to support her drug habit. It's not inconceivable (though perhaps highly unlikely) that such a person might understand how to navigate a Unix command line. If she can auto-login to your bank's website, she'll hurt you. It's just a web browser, after all, and that takes no smarts to use. Lock your X sessions. Strength and honour. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling Linux Counter #80292 - - http://www.faqs.org/rfcs/rfc1855.html Spammers! http://www.spots.ab.ca/~keeling/emails.html
|
Linear Mode
