Rich Freeman on 23 Jan 2013 08:11:04 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] "playing nicely with others"

On Wed, Jan 23, 2013 at 10:12 AM, jeff <> wrote:
> On 01/23/2013 09:00 AM, Robert Spangler wrote:
>> 99% of all calls I receive for viruses and malware are directly connected
>> to
>> the admin account being used for everyday use.
> To be fair, when speaking of a corporate setting, there is entirely too much
> poorly-designed Win software that demands admin rights.  It causes no small
> amount of posterior hurt.

All true, but I think that in general we've gotten too used to "just
don't give admin rights" as a fix for everything.  It really isn't.

All of the following can be done without admin rights:
1.  Running an executable.
2.  Reading just about any file on the system - certainly any file
owned by the logged-in user.
3.  Sending arbitrary data to an arbitrary destination (via email,
sockets, http put, whatever).
4.  Monitoring the logged-in user's keystrokes.
5.  Deleting/modifying just about anything that actually has real
value.  The only stuff you can't modify is stuff that comes on the OS
install CD.
6.  Sending copies of an executable to arbitrary email addresses,
network shares (with write acces), etc.

About the only thing being non-admin does is protect the OS itself,
and other users who use the same computer (99% of the time there are

Oh, and all of the above works just fine on Linux as well as windows.
About the only thing that linux does is make it a bit more of a pain
to execute a file (which is a big help), but you're just as vulnerable
to application exploits if the file is a document with a registered

I think Linux is actually in need of security improvements in this age
of spear-phishing and such.  Apps need much finer-grained privileges.
There is no reason that Libreoffice needs to be able to read my
chromium cache.  There is no reason that any program that can read my
.xauthority file should be able to record all my keystrokes.

Of course setting up more granular security takes more work.
Certainly some of the RBAC solutions like SELinux and such do address
these kinds of problems, but rarely are they configured to this
extent.  The Linux security model is mainly about keeping users from
messing with each other, and that really isn't relevant to the typical
desktop user.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --