Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Might not be the admins
Posted Sep 11, 2011 22:22 UTC (Sun) by epa (subscriber, #39769)
Posted Sep 11, 2011 23:41 UTC (Sun) by elanthis (guest, #6227)
Posted Sep 12, 2011 4:55 UTC (Mon) by cmccabe (guest, #60281)
Personally I agree with epa. It's nice to have a server that just does one thing and doesn't offer shell accounts. It will be interesting to see what the admins decide to do to tighten security in the future.
Posted Sep 13, 2011 8:18 UTC (Tue) by epa (subscriber, #39769)
Just based on this email, we don't know whether the Linux servers were hacked at all. All we know is that the attackers managed to get control of a shell account and escalate that to root.
Come to think of it, even social engineering to get hold of the root password would count as 'hacking' in my book.
Posted Sep 23, 2011 19:27 UTC (Fri) by cmccabe (guest, #60281)
Like this one:
Posted Sep 13, 2011 8:15 UTC (Tue) by epa (subscriber, #39769)
The point is, user accounts can and do get compromised. If you can't trust your system to keep users properly isolated from each other, then don't give out user accounts. You would instead need to run virtual machines or some other heavily sandboxed environment. It's ugly, and I hate to admit it, but that's how things are.
Posted Sep 12, 2011 8:23 UTC (Mon) by AlexHudson (subscriber, #41828)
Posted Sep 13, 2011 8:20 UTC (Tue) by epa (subscriber, #39769)
Posted Sep 13, 2011 13:49 UTC (Tue) by foom (subscriber, #14868)
Might be best to give them out on a non-linux machine, then...
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds