[KLUG Members] Security setup ...

[Eric Beversluis]

This is how I thought it worked too. 
EB

On Wed, 2005-04-20 at 10:15 -0400, Bruce Smith wrote:
> An interesting point was brought up during last night's presentation on
> security.  Since it was slightly off topic, I didn't want to interrupt
> the ongoing presentation to argue the point, so I'll bring it up here.
> 
> Someone said (implied?) that Mac OS-X was not as secure as Linux because
> some users are also administrators.  I disagree, which leads me to
> believe that person doesn't fully understand Mac OS-X security.
> 
> While I'm a short-time OS-X user myself, this is how I believe it works:
> (OS-X veterans, please correct me if I'm wrong!)
> 
> OS-X has a security setup very similar to Linux and classic Unix
> systems.  OS-X has a user named "root", but root's password is disabled
> by default.  When a "administrator" user does something that requires
> root privileges (like installing software), all work is done with
> "sudo".  And whenever this happens, a password prompt pops up and the
> admin-user has to enter his own password to proceed (not root's).
> 
> Only users who have "administrator" privileges are allowed to run
> commands with sudo.  (they are probably the member of some admin group)
> 
> The way I see it, the only difference between OS-X, and SuSE/Redhat/...
> running a admin GUI, is the password the user types in is his own
> password instead of root's password.  Since a password is required in
> either case, I don't see much of a difference when it comes to virus
> type programs gaining access to the privileged areas of the system.
> 
> The point could be made that in some sense it is slightly less secure
> because the admin only has to know one password instead of two.  OTOH,
> it could be considered more secure because the root account is disabled
> by default.  I see the trade-off as a wash myself.
> 
> On a side note, it is possible (and easy) for an administrator to put a
> real password on the root account (activating the account), which allows
> users to "su" from the command line, and/or log in directly as root.
> This does NOT change how the GUI's work (they still use sudo).
> 
> One last point.  I've been playing around with Ubuntu, and they seem to
> have their system configured the same way as OS-X, where all admin GUI's
> run sudo and the user has to enter their own password instead of the
> root password.  (which is frustrating if you don't know that and you
> can't get it to take root's password in the dialog box :)
> 
> Is that the security model of the future for Linux?  Are other distro's
> planning on going that way?  Just wondering ...   :-)
> 
>  - BS
> 
> 
> _______________________________________________
> Members mailing list
> Members at kalamazoolinux.org
>