From owner-freebsd-questions  Wed Apr 29 13:34:26 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA23092
          for freebsd-questions-outgoing; Wed, 29 Apr 1998 13:34:26 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from gdi.uoregon.edu (gdi.uoregon.edu [128.223.170.30])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA23084
          for <freebsd-questions@FreeBSD.ORG>; Wed, 29 Apr 1998 13:34:17 -0700 (PDT)
          (envelope-from dwhite@gdi.uoregon.edu)
Received: from localhost (dwhite@localhost)
          by gdi.uoregon.edu (8.8.7/8.8.8) with SMTP id NAA13167;
          Wed, 29 Apr 1998 13:34:02 -0700 (PDT)
          (envelope-from dwhite@gdi.uoregon.edu)
Date: Wed, 29 Apr 1998 13:34:02 -0700 (PDT)
From: Doug White <dwhite@gdi.uoregon.edu>
Reply-To: Doug White <dwhite@resnet.uoregon.edu>
To: Gary Schrock <root@eyelab.psy.msu.edu>
cc: Jan Koum <jkb@best.com>, freebsd-questions@FreeBSD.ORG
Subject: Re: any way to make ssh logins log to messages?
In-Reply-To: <199804231912.PAA08936@eyelab.psy.msu.edu>
Message-ID: <Pine.BSF.3.96.980429132512.13074K-100000@gdi.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 23 Apr 1998, Gary Schrock wrote:

> >P.S. -- Don't use root for eMails. :)
> 
> Yeah, yeah, it's just too much of a pain to change it at this point :).
> Although (and this really would belong on -security) I'd be interested in
> hearing exactly why this would really cause any more problems than not
> using root.  I don't actually read the mail on the system, so I can't think
> of any reason it would open things up to problems more.

Mailing as root implies you log in as root.  And as root, the system lets
you do whatever you want even if you didn't mean it, like accidentally
typing `rm -rf /' instead of `rm -rf .' Note that the . and the / key are
next to each other :)  In addition, it allows the distribution of
root-exploit viruses & trojans and other nasty problems that Linux people
typically have since they always run as root.  If you want root mail to go
to you then simply modify the root alias in /etc/aliases.

The next question is usually how to allow remote root logins, which is
disabled by default to keep people in Botswana from running passwd
guessers against it.

Lastly, it discourages my favorite security practice:  Change the root
password to something random, put it in an envelope and tape it to the
CPU.  Then install sudo and tell people to use that if they need admin
access.  With sudo you can control what programs people can execute, and
see what they've been up to since it's logged.  If you ever need the root
password, it's there, but as of yet I've never needed to make use of it.  

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message