Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070404001636.GA20806@openwall.com>
Date: Wed, 4 Apr 2007 04:16:36 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: Owl-based desktop environment

Grigoriy,

On Mon, Apr 02, 2007 at 02:42:05PM +0400, Grigoriy Strokin wrote:
> On Mon, Apr 02, 2007 at 04:56:53AM +0400, Solar Designer wrote:
> > Yes - Dmitry has already explained that you should be able to use most
> > RPMs from RHEL4 and FC3, as well as some from FC4.
> And what exactly is Owl-incompatible in FC4?

The version of db4 in Owl 2.0 is close to that in RHEL4 and FC3, but not
in FC4.  However, it has since been updated, so db4 in Owl-current is
actually close to FC4's.

> Specifically, can I use xorg-x11-* from FC4 to get a relatively fresh
> X.org?

Yes, maybe - feel free to try and report back in here.

> One of operations I'll need often is halt/reboot.  How do I use
> shutdown as grg without making /sbin/shutdown suid root? Man shutdown
> says about /etc/shutdown.allow, but I think it assumes suid root anyway.

The default /etc/inittab tells init to invoke /sbin/shutdown (with some
options) on Ctrl-Alt-Del (when you're on a text console).  This does not
require you being logged in.

> I meant that disabling the root password altogether might add more
> security.

It really doesn't help much, if the password would have been strong.

>   1) Disable the password for root and add a ssh key to
>      ~root/.ssh/authorized_keys.
>   2) Do not store this ssh key in ~grg/.ssh/, but create another
>      account grg2 and place the ssh key there. Therefore, grg can never
>      become root even if the account is compromised.
>   3) Allow grg2 to login only from the physical console.
>   4) Every time I need to become root, switch to another
>      console where grg2 is logged in, and run ssh root@0 there (and type
>      the passphrase).
> 
> Does it make sense?

It's not very different from only allowing root logins from the physical
console.  You seem to be adding complexity for no gain.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

-- 
To unsubscribe, e-mail owl-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.