From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1N9Qlq-00057h-JM for garchives@archives.gentoo.org; Sat, 14 Nov 2009 22:07:02 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2FC30E091A for ; Sat, 14 Nov 2009 22:07:02 +0000 (UTC) Received: from ey-out-1920.google.com (ey-out-1920.google.com [74.125.78.146]) by pigeon.gentoo.org (Postfix) with ESMTP id DE1C9E08B0 for ; Sat, 14 Nov 2009 20:47:47 +0000 (UTC) Received: by ey-out-1920.google.com with SMTP id 3so1148272eyh.40 for ; Sat, 14 Nov 2009 12:47:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=0kjMyazYHnqmkiUVXrOJz9iKTK9+HPR1f7xPZFcOsPI=; b=HsBERwTIxXDg+iYwvRghBKv83sUjZHs0AGye40JuFaSXXs9StXXlyoLvhbPPgyPZQi 0cTGPlvTNAzjpfsvzzMnIDDWfUTxU4oJi06os+uH7ygFEPaebXVZrdANpWqRTFH7DWf8 KZFRP49iYyIpsFpkxHGah1d5CHpXehPkPEesM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:message-id; b=RI2RHMaNCdJeTytkrjz9+0vO2DIz5kxZYeuLwQS5bdyksNDwsUAqkHCHAxdNZuAgZF SnLvL8udrKXlTsq9e3mM0PqmIUZT0N8TvTlhCEqTim8j2Tx4HYnHDyiNxchbLZSVBw1d Y3HSjCuefBM3IyOpYPAZinvwbAvH5zeq3+SMY= Received: by 10.213.23.87 with SMTP id q23mr910858ebb.75.1258231667249; Sat, 14 Nov 2009 12:47:47 -0800 (PST) Received: from nazgul.localnet (196-210-153-114-rrdg-esr-2.dynamic.isadsl.co.za [196.210.153.114]) by mx.google.com with ESMTPS id 7sm3606477eyg.33.2009.11.14.12.47.45 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 14 Nov 2009 12:47:46 -0800 (PST) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Block root user from login on xorg GUI Date: Sat, 14 Nov 2009 22:46:44 +0200 User-Agent: KMail/1.12.90 (Linux/2.6.31-zen7; KDE/4.3.74; x86_64; ; ) References: <200911122001.57860.michaelkintzios@gmail.com> <200911141932.56013.michaelkintzios@gmail.com> In-Reply-To: <200911141932.56013.michaelkintzios@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <200911142246.44419.alan.mckinnon@gmail.com> X-Archives-Salt: 71185cc1-69b0-4fd7-82cb-47377ec12511 X-Archives-Hash: 1a182601863c02cebc4e0951da6fc1a0 On Saturday 14 November 2009 21:32:39 Mick wrote: > > Approach security a little more sanely and don't give untrusted users > > root access? If you have to take steps to restrict the root account, > > you need to rethink who has use of it. Preventing damage in the event > > that the system does get compromised is one thing, but trying to > > control someone who is given access to root on the software side is > > the wrong approach, in my incredibly non-humble opinion. > > You are right of course, but in this particular case the guy who pays > wants to have root access. And you agreed to work like that? So when he fucks things up good royal and proper, will he gladly accept his shafting and pay you more to undo it? Or will he do the usual customer stunt and blame you? I only work under one of two conditions: I am root and the customer is not. The customer is root and I am not. > So, I'm just trying to find an easy way to > protect him from himself. Initially I implemented SELinux, but had to > pull that back because I couldn't in any quick way get Nagios cgi working > with it. One day I may find some time to get back to it. -- alan dot mckinnon at gmail dot com