If you have a uid=0, but you do not have the username of root can you
write files like the ones in /etc/iscsi or /var/lib/iscsi or can you
write to some proc/sysfs files like the
/sys/block/sdX/device/queue_depth one?
Hi Mike!
I guess so, because the open() syscall doesn't care about the user's name; just about the UID (and GIDs).
Ulrich
I wonder whether "sudo" could solve your problem.
Ulrich
>>> Thomas Weichert <tho...@weichert-web.de> schrieb am 10.11.2011 um 09:33 in
Nachricht
<13d84f75-4818-40be...@i15g2000yqm.googlegroups.com>:
Hi!
I wonder how changing the permissions of root will make the system more secure: If someone manages to break in as "root", he will find out what the real root is. Having multiple roots will not add anything to security IMHO, either. I agree with the permission check, but I'm worried about your security policies ;-)
Regards,
Ulrich
I have been checking with the security people at various distros and
they seem to think just checking for uid=0 would be ok.
I am going to check what some other tools are doing just to make sure.
What do you mean with the "changing the permissions of root"?
In the kernel, the user-id 0 is allowed to do everything (and there is
no "user name" in the kernel).
If you call the user with the user-id 0 "root" in user-space via
the /etc/passwd (or LDAP or ....) file doesn't really matter.
> more secure: If someone manages to break in as "root", he will find
> out what the real root is.
That is actually confusing (though everyone is used to it): "to become
root" technically means actually "assume the user-id 0".
Every user (who is logged in) can look into /etc/passwd (or LDAP or ...)
and see, which username is associated with 0 (otherwise `ls` can't
translate the uids from the filesystem into human-readable usernames).
I seriously doubt that renaming the "root" (and having a normal account
with the name "root") actually adds security. From the outside, you
shouldn't allow "root logins" anyway (read: a login where one ends up
with the user-id 0) and if you are on the system, you can look up the
user-name anyways.
So that will IMHO just add confusion .....
> Having multiple roots will not add anything
> to security IMHO, either. I agree with the permission check, but I'm
Well, you can have different passwords for the various user with user-id
0. But what can one do with that which can't be done with e.g. "sudo".
> worried about your security policies ;-)
[ Fullquote deleted ]
Bernd
--
Bernd Petrovitsch Email : be...@petrovitsch.priv.at
LUGA : http://www.luga.at
as far as I know, multiple root users are employed because of tracing
reasons, and definitively not in order to make the system more secure
(especially since the systems are within a LAN and not exposed to the
outside world).
Moreover, I am not the system administrator and I actually do not care
about any permission or security policies. So, thanks for explaining
the technical insights about usernames and ids - however, this does
not change the fact, that there is a bug in open-iscsi.
Kind regards
Thomas
Here is a patch for this.