[CentOS-devel] Cloud image default login

Tue Jul 15 01:47:29 UTC 2014
Nico Kadel-Garcia <nkadel at gmail.com>

On Mon, Jul 14, 2014 at 3:18 PM, Sven Kieske <svenkieske at gmail.com> wrote:
> Hash: SHA1
> On 14.07.2014 18:34, Kevin Fenzi wrote:
>> FWIW, I find the idea of setting a non priv user on cloud images
>> like this a kind of strange security theater, but it seems everyone
>> is doing it now. ;(
> +1
> I'm really not getting this
> "oh we disable root for security
> but we enable a user (not called
> root) to run every command on the system
> with root privileges and without the need
> of a password"
> this is in no way safer than root access.

It can be. SSH key based access, and sudo, can be configured with
settings to insist that the commands  come from the local host, that
they allow only specific commands with specific arguments, or even
that they be run through validation tool such as the old
'validate-rsync.sh' script used by various rsync based backup tools.

It ain't perfect, but it profoundly limit the ease of deliberate or
accidental destruction.