Re: [K12OSN] when running ltsp-server-tweaks

On Wed, Aug 31, 2011 at 2:16 PM, Burke Almquist <burke thealmquists net> wrote:

On Aug 31, 2011, at 7:23 AM, Jim Kinney wrote:

> Bear in mind that blocking direct root login to X and gdm was implemented because of the huge security issues exposed. X already runs with many root privileges due to how X interacts with the hardware layer. Opening pam to allow root login from terminals is flat out dangerous as the security of the password process over the network is an exposure that's not balanced by the convenience. With the exception of gconf editing now requiring an active X session to work, there is no reason for root to ever login anywhere except the actual console of the server and only at the command line.
> Current Linux distros basically should never have a need for direct root login unless the system is being put into single user mode for repairs.
FYI, I didn't try logging in as root on the terminals, just on the server.
Good to hear as that cuts down on some of the security issues. However, as all (most) thin client processes run on the server itself, and X has many data leaks, logging as root in X on the server is still a security nightmare asking for exploitation. And with a flock of curious kids looking for "fun things to do", a political problem waiting to happen :-)

Besides, EVERYTHING needed for administration of a Linux server can be done with su, sudo or the gui's with root password.

OK. So single user mode to fix a disk that has failed and a few repartitioning things requires root login in runlevel 1. But other than that, and the gconf thing, but, really, nothing else ....


Be wary of middle and high school students. They be crafty little imps! Fork-bombs are a fun way to bring class to a halt!

