Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 2 Jul 2000 00:28:44 -0700
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        Bill Barnes <bbarnes@operamail.com>
Cc:        cjclark@alum.mit.edu, freebsd questions <questions@FreeBSD.ORG>
Subject:   Re: Ports via FTP
Message-ID:  <20000702002843.J1820@dialin-client.earthlink.net>
In-Reply-To: <398F046C@operamail.com>; from bbarnes@operamail.com on Sun, Jul 02, 2000 at 01:55:41AM -0400
References:  <398F046C@operamail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 02, 2000 at 01:55:41AM -0400, Bill Barnes wrote:
> I created the wrong impression.  It isn't FreeBSD that I'm worried about, it's 
> the crackers.  
> This afternoon and evening the download was stalled a lot and there is some 
> offline peparation time and I've read there is significant risk in connecting 
> to the internet as root.
> It doesn't matter too much right now because I just installed and haven't 
> anything to lose.  I was logged in as root for other maintenance and, frankly, 
> forgot about that until I started the ftp.
> If i login as non-root, establish the internet connection, then su for the ftp 
> process, does that eliminate the risk of 'root online'; or maybe I am worried 
> about a non-problem.

Hmmm... I'm still not quite understanding you. How do you log in as
non-root to establish the Internet conncetion, _then_ ftp after su'ing
to root. I mean, isn't the ftp connection the "Internet connection" we
are talking about?

So I'm not sure what "root on-line" risk you are talking about
either. To me, that might typically be logging into a machine as root
remotely. That is, being root on the remote machine, not locally, with
the accompanying risk being to the remote machine. The problem is that
authenication is going out over the network as well as everything you
type (so it better be encrypted). There can be risks to both local and
remote machines if you are running X as root over a net (not doing
that, right?).

In this case, you are using things like anonymous ftp or http to
connect to other machines. This is only a risk if you do not feel safe
with FreeBSD's ftp, fetch, or whatever application you may use to
connect to the untrusted machine. If misbehavior on the remote server
can get your ftp client, which is running as root, to do bad things
(like execute arbitrary code), then you are in trouble.

There is some risk there. Never connect to an untrusted machine using
lynx from root, lynx has known buffer overflows (I forget if exploits
have been demonstrated). I, personally, would never use Netscape as
root for similar reasons and others. However, I feel that ftp and
fetch are pretty safe and regularly use root to do a port install from
end-to-end.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000702002843.J1820>