Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Dirk Heinrichs <dirk.heinrichs@××××××.de>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: Block root user from login on xorg GUI
Date: Sun, 15 Nov 2009 10:27:19
Message-Id: 200911151022.25803.dirk.heinrichs@online.de
In Reply to: Re: [gentoo-user] Re: Block root user from login on xorg GUI by Alan McKinnon
1 Am Samstag 14 November 2009 23:50:42 schrieb Alan McKinnon:
2
3 > On Saturday 14 November 2009 22:46:18 Dirk Heinrichs wrote:
4 > > Am Samstag 14 November 2009 16:13:04 schrieb Nikos Chantziaras:
5 > > > Ever heard about make menuconfig?
6 > >
7 > > ???
8 >
9 > The account foolishly being "prevented" from bypassing SELinux is root.
10 >
11 > So, configure a new kernel, disable SELinux, build, install, reboot.
12 >
13 > Voila! No SELinux.
14 >
15 > Or,
16 >
17 > Edit grub.conf, reboot.
18 >
19 > Voila! No SELinux.
20 >
21 > Or, (as SELinux can be used to prevent access to grub.conf)
22 >
23 > Just hit the damn power button and edit the kernel options in the grub
24 > command line.
25
26 Compile in kernel options, configure the kernel not to accept additional ones.
27 Damn power button rendered useless.
28
29 > Trying to prevent root from doing $STUFF on a pc is utterly and completely
30 > pointless and simply will not succeed, ever. There is hardware where this
31 > can be done, but it's not a PC, has no Intel designs in it and is often
32 > truly secured with armed guards.
33
34 This all implies physical access to the machine, right?
35
36 > trying to prevent root from doing $STUFF on Unix is utterly and completely
37 > pointless and simply will not succeed, ever. There are OSes where this can
38 > be done, but they are not Unix. By definition, on Unix root can do
39 > anything, including bypassing systems to prevent root from doing anything.
40
41 SELinux allows to spread the tasks root needs to do or can do accross several
42 roles. Of course, if only one single person has root access to the system this
43 doesn't make sense. But we're talking about cases where several people (incl.
44 the malicious attacker) have root access. So you can very well configure a
45 (SE-)Linux system so that "root" can't do everything.
46
47 Bye...
48
49 Dirk

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
[gentoo-user] Re: Block root user from login on xorg GUI Nikos Chantziaras <realnc@×××××.de>
Report Message
Find on MARC Find on Google Groups