Ah, I gotcha. I misunderstood what you were trying to say.
etherealpanda
@etherealpanda
Best posts made by etherealpanda
Latest posts made by etherealpanda
-
RE: Eee PC "security"
-
RE: Eee PC "security"
@morbiuswilters said:
I do have this, it's called a "backup" and instead of copying the files locally it rsyncs them to an off-site server. It is still possible for me to lose changes since my last backup if I rm -r my home directory. Also, I don't backup my music or video as I have them on the original media and I don't want to bother having that much extra disk space.
I didn't know you had an off-site backup server, so I assumed you had none. I don't have the resources for a backup sever at home, so my setup allows for me to still have a reasonable amount of security with my nightly backups.
@morbiuswilters said:
I don't run Apache as root, my point is that it makes no difference as Apache already has access to all important info. Sure, you can prevent code and config files from being deleted, but you should already have those in version control, anyway. You can't stop Apache from deleting anything your web app can delete, which means everything in the database it connects to and any files created by the web app. Also, an attacker can save copies of the data for themself and use it to cause harm to your customers. How much worse would root access be?
Yeah you're right, I should have my configuration in version control. I don't know why that's never occurred to me.
@morbiuswilters said:
Running as root isn't the end all be all of security problems. But, isn't security in general is about plugging as many holes as you can? If someone got into my system and trashed my OS, it would take me at least a half of a day to get everything set backup (even with backups of my configuration).You're right that a hacker getting all of your client's data is a much bigger deal than restoring system binaries, but it would save the admin a lot of time if the only thing I need to restore is backups.Assuming someone actually was an expert, they shouldn't be recommending pointless security voodoo like this. I'm not saying "go run it as root" what I'm saying is "there are several cases where there is essentially no difference between the damage a user account and root can do" and that acting like "running as root" is the root of all Unix security problems is absolutely ridiculous.
I see where you're coming from, but I just don't think I can agree.
-
RE: Eee PC "security"
@morbiuswilters said:
You also miss my point -- I can destroy my useful data as either root or myself but I can only destroy my useless data as root.
Perhaps you should reconsider your setup. I have a nightly rsync backup of my important files running as a root cronjob. The rsync sets the permissions of the copied files to root access only. This way, a rm -rf / wont wipe out anything except what I changed today. This wouldn't be as easy to ensure if I was running as an admin user. There are so many benifits to running as an underprivilaged user, and the inconvenience of having to type sudo every now and then is so small. I just don't understand why people take the risk.
Also, it doesn't make sense to me why someone would need to run Apache as root. With an underprivilaged daemon user you can have most of your content directories owned by another user and have the group / other only able to read it. (With the exception for directories that need content uploads, template compiling, etc.) If a hacker comprimises Apache as root, not only can they erase all of your web content, but they can erase your configuration too. Which I don't know about you, but I spend way too much time customizing my server configs.
Of course I'm not going to deny I'm paranoid. But, I've also been burned one to many times by carelessness. Just keep in mind, the experts wouldn't recommend these things just to make your life harder. ;D