Subject: Re: Preventative security features?
To: None <tech-security@netbsd.org>
From: Dmitri Nikulin <setagllib@optusnet.com.au>
List: tech-security
Date: 11/13/2004 20:29:12
> This also would be a wonderfull tool for an intruder once he is in and
> has root. Not much to loose then, you might say, but think of a DMZ shell
> host where road warriors jump through and forward to something inside.
>
> This means we would be able to watch the decrypted data stream on a pty
> between sshd and the users login shell, right?
>
> It does ring some data-privacy bells ;-)
>
> Martin
>  
>
Well, if root can be considered a machine-localised God, and 
Judeo-Christians don't mind losing their privacy in return for a system 
(life) to work in, then it's really not that bad :)

The idea is to prevent an intruder *getting* root by watching what he's 
(I'm assuming that the majority of the cracker population is pimply 
males) doing. Heck, this is a good way to find out what possible holes 
are in your system anyway. I once let in an 'experienced' friend of mine 
to a FreeBSD box and watched him explore its security, which then led me 
to tighten the screws. If you don't know what 'clever' people are doing 
in your machine, you can't stop them at all. It's amazing what some 
people know about your system you might never know without watching.

The other half of the assumption is that a remote root isn't practical 
(we all use pubkey-only protocol 2 openssh and on a mysterious non-22 
port with no root logins, right?) so the only root is a trusted root, 
and that this trusted root can prevent others getting root via a local 
exploit just by watching carefully. If not him, then the daemon as I 
also suggested.

There's still more good than bad here. If admins are more afraid of 
remote root snooping than himself, then they can of course turn the 
functionality off... but should develop more confidence in their other 
security measures.