[KLUG Members] Security setup ...
Eric Beversluis
econophil at charter.net
Wed Apr 20 11:12:44 EDT 2005
This is how I thought it worked too.
EB
On Wed, 2005-04-20 at 10:15 -0400, Bruce Smith wrote:
> An interesting point was brought up during last night's presentation on
> security. Since it was slightly off topic, I didn't want to interrupt
> the ongoing presentation to argue the point, so I'll bring it up here.
>
> Someone said (implied?) that Mac OS-X was not as secure as Linux because
> some users are also administrators. I disagree, which leads me to
> believe that person doesn't fully understand Mac OS-X security.
>
> While I'm a short-time OS-X user myself, this is how I believe it works:
> (OS-X veterans, please correct me if I'm wrong!)
>
> OS-X has a security setup very similar to Linux and classic Unix
> systems. OS-X has a user named "root", but root's password is disabled
> by default. When a "administrator" user does something that requires
> root privileges (like installing software), all work is done with
> "sudo". And whenever this happens, a password prompt pops up and the
> admin-user has to enter his own password to proceed (not root's).
>
> Only users who have "administrator" privileges are allowed to run
> commands with sudo. (they are probably the member of some admin group)
>
> The way I see it, the only difference between OS-X, and SuSE/Redhat/...
> running a admin GUI, is the password the user types in is his own
> password instead of root's password. Since a password is required in
> either case, I don't see much of a difference when it comes to virus
> type programs gaining access to the privileged areas of the system.
>
> The point could be made that in some sense it is slightly less secure
> because the admin only has to know one password instead of two. OTOH,
> it could be considered more secure because the root account is disabled
> by default. I see the trade-off as a wash myself.
>
> On a side note, it is possible (and easy) for an administrator to put a
> real password on the root account (activating the account), which allows
> users to "su" from the command line, and/or log in directly as root.
> This does NOT change how the GUI's work (they still use sudo).
>
> One last point. I've been playing around with Ubuntu, and they seem to
> have their system configured the same way as OS-X, where all admin GUI's
> run sudo and the user has to enter their own password instead of the
> root password. (which is frustrating if you don't know that and you
> can't get it to take root's password in the dialog box :)
>
> Is that the security model of the future for Linux? Are other distro's
> planning on going that way? Just wondering ... :-)
>
> - BS
>
>
> _______________________________________________
> Members mailing list
> Members at kalamazoolinux.org
>
More information about the Members
mailing list