Re: bash for root?

Wed, 03 Dec 2008 09:18:32 -0800 

Jesse Zbikowski wrote:

Nick Holland wrote:

the generally bad idea of duplicate user numbers


I am not aware that this is considered a bad idea to have two
usernames for the same UID.  It is a pretty established practice to
add a so-called "toor" username for exactly the reason of getting a
nice superuser shell.  I have been doing this in a production
environment for years with no problem.

http://en.wikipedia.org/wiki/Toor



Did you actually READ that article?  say, maybe, end part under 
"Security Considerations"?



There are lots of things that people did back before the world was all 
interconnected that aren't such hot ideas now.  The fact that a practice 
was commonly done..or even IS commonly done...doesn't mean it is a 
really good idea.



IF you do as you propose, you will get warning messages out of the daily 
security checks.
You can either ignore the warning (in which case, you will probably miss 
other warnings, too, as you have "learned" that the insecurity report 
has "bogus" stuff in it) or modify the security check to not warn you 
about that.  NOW, if I manage to get another account set to also have a 
'0' or other "interesting" user number (keep in mind, I may not want 
'root' on your box, maybe I just want to see the data of the payroll 
dept., or your personal e-mail, or similar), you won't notice that, 
either.



Non-trivial additional risk so you don't have to manually invoke a shell 
you don't even need to use.  I think this falls quite safely under "bad 
idea".  The ONLY benefit you are going to see here is allowing you to be 
LAZY, and five-keystroke lazy at that (two, if you do an appropriate 
'alias').  Wow.



You run OpenBSD, why?  Probably because the developers have a pretty 
good idea how to keep your applications running safely and reliably. 
The developers have decided to look for duplicate IDs as part of their 
daily security checks.  You have decided you know better.



The point of proper administration is to do what needs to be done to 
keep your systems running reliably and securely and to make it easy to 
fix things WHEN they go wrong.  While it isn't about working harder than 
need be, it also isn't about doing silly tricks to your system which can 
have negative (or not thought-through) impacts to your system Just 
Because You Can, or even because Someone Else Suggested It, just to save 
a very few keystrokes.



Nick.



























					Reply via email to