Joel VanderWerf <vjoel / PATH.Berkeley.EDU> writes:
> Berger, Daniel wrote:
> > Heh.  Of course, if someone with physical access to your machine is willing
> > to go that far, couldn't they just reset the root password anyway?  Or
> > reload the OS completely?  Or smash it with a sledgehammer?  I suppose if
> > they wanted to be stealthy...
> 
> But the data stored in the database might be much more valuable than 
> whatever you've got on the linux box, which might just be used as a dumb 
> terminal running a thin client.

The general rule of thumb for security is that if they can touch the box,
it's insecure.  I don't see how you can effectively get around that.
If you can control physical access to the box, OTOH, there's always
SELinux <http://www.nsa.gov/selinux/>, which lets you grant/deny
permissions on a much finer grain than simply 'user/group/other'.

One of the more interesting demonstrations I saw was someone who put a
SELinux machine on the public network, and published the root password
and asked people to crack it.  Can't recall if he was 0wn3d or not,
but ISTR he wasn't.  In any event, it's highly cool.  With SELinux you
could say that, no matter what the permissions on the file were, only
you (or someone else you authorize specifically) could read it.

> > If I ever *am* convinced to add it, I'd like to keep it simple,
> > like ROT13 or something.
> 
> Well, that would stop the likes of me, but...

Fundamentally, if the password is stored *anywhere*, it's going to be
insecure.  There are things you can do to obsfucate it, including
compiling a binary which computes the password through some arcane
procedure, but ultimately, the only way to truly secure a machine is
to unplug it, bombard it with all sorts of nasty electromagnetic
radiation, fill the case with quick-dry cement, and then pulverize the
lot until it's all 0.03 microns thick, and then store the remains at
ground zero in a nuclear testing site.

So there's always tradeoffs.  And you don't *have* to use the module
anyway. :)

-=Eric
-- 
Come to think of it, there are already a million monkeys on a million
typewriters, and Usenet is NOTHING like Shakespeare.
		-- Blair Houghton.