[OpenIndiana-discuss] Relocated root home directory
Sašo Kiselkov
skiselkov.ml at gmail.com
Sat Feb 9 20:41:33 UTC 2013
On 02/09/2013 08:55 PM, Roel_D wrote:
> Just a question out of interest:
>
> Let's say you put root's directory to another zfs dataset.
> This dataset has been backupped to an USB stick.
Hang on, you don't encrypt your back ups? Seriously? No offense dude,
but if you did that at my place, you'd find yourself in serious trouble
really soon.
> I find it (the USB) and I take it to a new OI server and try to
> import it. This will work since it is not encrypted.
Who in their right mind does backups to removable media unencrypted?
> On the new server i am root with a new/different password. Since i
> am root, i can open the old root directory and read its bash history.
> Voila. I know all things from the old admin.
You already committed so many capital crimes in systems administration
that you just deserved what is coming. In order, your crimes were:
1) You've used tools which record sensitive data into your .bash_history
(Ever wonder why security-aware tools never take passwords as
command-line arguments? That's why.)
2) You neglected to encrypt your backups to removable media. Big no-no.
3) You didn't handle backup media with the care they deserve (encrypted
or not, backups are among the most sensitive data an organization can
have) and misplaced them where they can be easily picked up by an
attacker.
So by this time, everything that happens to your systems is already
karma. Plus, all of this works regardless of whether /root is on a
separate dataset or not! (I use duplicity backup on my Linux laptop.)
Cheers,
--
Saso
More information about the OpenIndiana-discuss
mailing list