Cups changes

I normally log in to the system as an ordinary user and have several text windows open. In one of them I use "su" to get root privilege, and I don't use that to run a browser etc.

Reply to
Rob
Loading thread data ...

In the case of windows, it goes far beyond that mechanism. The risks of such attacks are far greater simply because of the sheer number of a monoculture windows OS in the hands of people with more money than sense. That is to say; the returns are far greater for the blackhats employed by the criminal gangs.

Although the "Security by Obscurity" adage is deprecated, it does reduce the level of attacks compared to that faced by windows users. Since most of the malware activity is in the nature of monetary gain rather 'Joy Riding', there is a much lower risk of a *nix system being rooted.

True, there is still a risk which shouldn't be ignored, but it's a much more managable risk. Indeed, I strongly suspect that windows 2000 professional (which I use) is now actively enjoying this benefit of "Security by Obscurity" simply because of its 0.02% market share being largely in the hands of users _with_ a clue making this a target best avoided since the gains are extremely low yet the risk of prematurely tripping alarm bells in the security community to more rapidly respond to Zero Day threats against the much more lucrative winXP (25% share) and Vista and win7 & 8 flavours provides all the reasons for the blackhats to go so far as to actively exclude win2k, despite it sharing most of the same (and more) of the vulnerabilities of the later OSes. It is, after all, a fairly trivial matter to code the malware install routine to silently remove itself (and its payload) when it discovers that it has landed on a win2k box.

The prime reason for there being any threats to *nix boxes at all is the higher liklihood of it being a server box where, to a first approximation, a compromised server is worth several thousand desktops running botware which justifes the much greater effort expended in compromising a *nix box.

With win2k, such a benefit is virtually non-existant. To the blackhat, win2k represents no useful gain whatsoever and only results in unwanted grief and pain to even try to attack it (why spoil a good Zero Day exploit against the more lucrative windows versions by a pointless attack on a windows 2000 box?).

Sadly, the one and only downside to using win2k today is the lack of current compatable software due to the various software houses actively excluding their product from installing or running on Microsoft's best windows to date.

I stand a much better chance of running modern software on a Linux box than I do with win2k. My next major hardware update sometime over the next 12 months will force me to ditch win2k as the host OS altogether. However, I won't be cursing the next reincarnation of my desktop PC with a Microsoft windows OS, it's going to be a Linux distro, most likely Linux Mint which seems the most promising so far.

If I need to run any 'Must Have' windows app software, I can always use winXP (or whatever minimal version of windows is required) installed in a VM, courtesy of VirtualBox. I can still have the best of both worlds without compromising my desktop PC with the latest s**te offerings from Microsoft.

Once you're running a windows OS in a virtual machine, you can treat it as a disposable app with the same disdain you'd reserve for a used condom (which is just about the same regard all versions of windows since win2k have ever deserved imho).

--
J B Good
Reply to
Johny B Good

You expertise and mastery of *nix style OS is astounding to us mere mortals who often make mistakes. I wonder if I can touch your cape and possible leech some of your awesome powers of sysadminess?

:-)

Reply to
mm0fmf

So, what makes you think I don't do the same on my RPi as I do on my other systems?

Almost the first thing I did to mine was to enable the root login. Amongst other things, this let me extend my LAN-wide backup system to cover the RPi.

The next was to set up CVS to point to my main source repository and then pull my standard /etc/sudoers file down and install it on the pi.

That sounds like a really mind-bogglingly stupid default configuration, but I suppose it does at least slightly inhibit ignorant attempts to browse the web etc while logged in as root.

--
martin@   | Martin Gregorie 
gregorie. | Essex, UK 
 Click to see the full signature
Reply to
Martin Gregorie

I don't. I only "su -" or login as root when I need to and make a point of minimising the length of time I stay there.

--
martin@   | Martin Gregorie 
gregorie. | Essex, UK 
 Click to see the full signature
Reply to
Martin Gregorie

Absolutely! :-)

I just "sudo -i" when I want a root login on systems where there isn't a root login. On systems where there is a root login I use it. I prefer to keep systems as default as possible.

--
Chris Green
Reply to
cl

B*ll*cks. Discussions on Windows security myths elsewhere please.

---druck

Reply to
druck

I think the "point" of this thread is that, since some actions have greater consequences/risks than others, it is prudent to require extra user effort to cause greater consequences.

It is also observable that actions performed frequently tend to become automatic.

Therefore, a safe, convenient system will optimize toward convenience for frequent, safer actions, and toward safety for infrequent, risky actions.

Any system for which risky actions are frequent cannot be made both safe and convenient.

There are many mechanisms that implement a variety of convenience-safety tradeoffs.

"sudo" is relatively convenient but also relatively unsafe if frequently needed (since it will become a habit to lessen an inconvenience).

Confirmation messages have a similar problem, but are at least presented after the action has been specified.

A safer, yet usually convenient, mechanism is typified by the "wastebasket" file deletion metaphor, which makes file deletion reversible for a period of time.

A time-stamped versioning file system provides an even safer and more convenient mechanism for preventing accidental data loss, but, of course, it does so by making it less convenient to permanently delete data. ;-)

System design is about considering safety/convenience tradeoffs as a conscious choice, and a subject of data-driven optimization for an intended use.

If a system has multiple intended uses, then it is usually best to support multiple behaviors, each more nearly optimal for its use.

--
-michael - NadaNet 3.1 and AppleCrate II: http://home.comcast.net/~mjmahon
Reply to
Michael J. Mahon

[snip lots of talk on root/sudo]

Back to printing files which was the starting topic I believe. The details usermod lpadmin were in etc/group when I checked. So I updated and upgraded Raspian which turned out to be extensive.

After that files to the printer were executed without the input of the usermod command.

More Linux magic!!

Thanks to all who gave advice Malcolm Smith

--
T M Smith 
Using an Iyonix and RISC OS 5.20 in the North Riding of Yorkshire
Reply to
T M Smith

After years of working as root and being prepared to take the consequences, I now occasionally do use sudo..

At least it makes me aware that I am delivering a potential nuclear payload to the operating system..

--
Everything you read in newspapers is absolutely true, except for the  
rare story of which you happen to have first-hand knowledge. ? Erwin Knoll
Reply to
The Natural Philosopher

well so that a fat finger doesn't bugger the entire operating system, is a good start.

Never logged in as root, forgotten that you WERE root (esp in the days when roots home dir was / ) and erased something you wanted to erase from your homedir - that irritating director /home/noob/etc where all sorts of junk was kept and instead deleted the entire OS /etc directory and subdirs?

I think the classic is. as root, to do something like this

1/. Forget this is root and not your homedir

2/ type without thinking: cd scratch (fails as there is not /scratch) then type :

3/ rm -r * (whilst in /... onot /home/me/scratch)

without looking at the failed to change directory thingie on screen..

--
Everything you read in newspapers is absolutely true, except for the  
rare story of which you happen to have first-hand knowledge. ? Erwin Knoll
Reply to
The Natural Philosopher

that's because it is an adaptation of Debian which is very much 'users have passwords' setup as default.

And is simply an expression of the fact that Raspbian isn't a total customised post.

--
Everything you read in newspapers is absolutely true, except for the  
rare story of which you happen to have first-hand knowledge. ? Erwin Knoll
Reply to
The Natural Philosopher

No. Never happened to me. In the old ages the root prompt was # and the user prompt was $ and it was easy to distinguish the two. In the past decade or two the current directory has been part of the prompt and it is easy to see where you are when you issue a command.

Reply to
Rob

sudo is perfectly fine (in fact there is a strong case for saying it is more secure than su). it is usually only the 1st user created on a debian installation that has sudo permissions.

in the case of the PI when it is the users own system then it makes very little difference they would have the root password & just switch to root (and probably stay there ) anyway.

The issue highlighted is without understanding of the permissions model new users could start to prefix all commands with sudo as habit without understanding why.

tutorials & examples need to be very clear about when & why it is needed. There also needs to be a way to access the GPIO without needing root. (perhaps a small daemon that accepts commands from other apps?)

Permissions, not just fore the reasons above but also so that user applications do not need to be run as root.

--
	Why are you doing this to me? 
	Because knowledge is torture, and there must be awareness before 
 Click to see the full signature
Reply to
alister

Either you are a God & there for perfect, or it is only a matter of time...

--
QOTD: 
	My mother was the travel agent for guilt trips.
Reply to
alister

I am aware being root in the console. There is the # and I also have a different colour scheme as opposed to my user consoles.

That's a completely different scenario. Here we are talking about personal machines. On my Linux boxes, no one else gets access, I am the only operator. If I were working on publicly accessible boxes, I certainly wouldn't leave root consoles open.

My wife wouldn't even know what to type in the console, she's a Window$ user. She doesn't even touch my computers unless I explicitly ask her to do so. So, still no reason for me not to use root consoles. It just doesn't make any difference, except sparing me to type sudo every time.

Reply to
Paul Berger

No, never done that. As root (and as user) I watch what I am typing and I certainly read the outcome. If I were that stupid not to, I'd be stupid enough to do the same with sudo.

Reply to
Paul Berger

Lucky you. Then again I don't suppose you were amongst 100 other different things expected to be sysadmin for a dozen *nix boxes under extreme commercial pressure.

Those pressures my not apply to a home hobbyist with a Pi, but they are real enough - and the mistakes common enough - for the sudo mechanism to have been built and adopted by those who were.

--
Everything you read in newspapers is absolutely true, except for the  
rare story of which you happen to have first-hand knowledge. ? Erwin Knoll
Reply to
The Natural Philosopher

It is always best to follow good practice even if only on a test system & not 100% necessary,m otherwise it is easy to develop bad habits & skip those same processes on a more important system.

--
Expert, n.: 
	Someone who comes from out of town and shows slides.
Reply to
alister

I have worked with Unix for over 30 years, and with Linux for over 20 years.

I remember only once deleting an entire directory tree when that was not intended, but it was not an OS tree. I simply restored it from the backup.

Reply to
Rob

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.