Ridding myself of root passwords?

Michael Torrie torriem at gmail.com
Thu Feb 6 11:42:48 MST 2014


On 02/06/2014 11:18 AM, S. Dale Morrey wrote:
> Process was running as an unpriviledged user.
> I'm guessing SELinux might have helped but in as we discussed before I make
> it habit to shut that off because 99% of the time it's just in my way.
> Many, many times the only solution to a daemon not launching is "setenforce
> 0" or some other "let's shut off selinux" type of answer, to the point that
> disabling it is one of the first things I do.  I can't have security
> getting in the way of usability all the time like that.

Guess I'm just saying that disabling root's login doesn't prevent a
local escalation from a normal uid to uid 0.  uid 0 always will exist,
even if root is disabled.

Yes selinux would have saved you, had you been able to configure the
darn thing to work right!  Seems like selinux works great with
distro-packaged daemons, but trying to get third-party daemons to
install and run with selinux properly is a chore.

> If something is a high value target (for instance if I had kept bitcoins on
> that server) I might have considered leaving it on and trying to make them
> play nice.  Fact is I was using it as a feeder node for a pool.  The worst
> possible thing that could have happened in that case is that someone could
> turn it into a spam relay (which they did).
> 
> The daemon was bitcoind or actually a variant, but the important bits are
> all bitcoind.  Fortunately I'm not dumb enough to leave money sitting on a
> box on the internet :)



More information about the PLUG mailing list