[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Editing system files from within Emacs




Sorry for the delay in my responce, I have been away and I am just
getting caught up.  I would like to add my 2 cents on this issue.

I do not mean to frighten folks, but a comment was made about
security, and I would like to comment.  As a system admin of a medium
to large size instalation, I must be more carful about security than a
user with their oun linux box.  But since there may well be other
emacspeak users in my situation, here is what I do:

>>>>> "Jason" == Jason White <jasonw@ariel.ucs.unimelb.EDU.AU> writes:

Jason> I successfully tested T.V. Raman's ftp solution this morning,
Jason> and it works. <snip>
Jason> is only a security risk if you have not chosen a
Jason> strong root password.

I would disagree that this is not a secuity risk, using ftp to do root
work would allow the password to be sniffed.  Conversely, if you have
ftp configured so as not to request a password ( I have never done
this but I understand it is posible) then you would be vonerable to an
IP spoof attack.  

This is fine on a personal machine that is off the net when the root
work is being done, but I would not recommnend clear sending of
passwords at any time on a connected machine.  But of course I am
paranoid and many of the systems around mine have been compromised...

If you are using your own machine at home, you can most likly ignore
the rest of this message.  

Here is what I do:

First, I use ssh for all intermachine communication.  It encripts the
session. 

For files that I as non root can read I make a copy of them, edit it
(as me) and then use term, su to root and overwrite the original with
the edited one, or use scp to put the edited version in place.  

For files that non root cannot read, I start term, su to root or use
scp to copy the file to my (non root) directory and change permisions
so that I own it, then follow the steps above. When done, I delete the
local copy of the file.

So, I am not editing as root.

I am only minimaly on as root.

Sensitive files only exist in emacs buffers for a brief time.

I also use scp (part of ssh) to distribute files so on many machines I
never have to "log in" as root.  But then, I maintain dozens of machines.

And, yes, I use ssh not rsh do do my remote emacspeak server sessions.

Every once in a while someone on one of the emacs newsgroups says they
are working on a mode like ftp that will use scp and ssh from inside
of emacs, but until then, I would not use any mode that transmits a
clear password, or any emacs session (like shell) which may store a
password visibly even in a tmp buffer or variable.

Again, I am a system admin with several hundred users so I need to be
more cautious than most.

For info on ssh see

  http://www.cs.hut.fi/ssh

It is a nice package that is free for non comercial use on linux and
unix systems.

Greg
--
 Greg Priest-Dorman
 priestdo@cs.vassar.edu      NO SOLICITING


-----------------------------------------------------------------------------
       To unsubscribe or change your address send mail to
"emacspeak-request@cs.vassar.edu" with a subject of "unsubscribe" or "help"


Emacspeak Files | Subscribe | Unsubscribe