On Tue, Oct 01, 2002 at 02:43:41PM -0700, [EMAIL PROTECTED] said: [snip] > > > I have question for the security community on NANOG. > > > > > > What is your learned opinion of having host accounts > > > (unix machines) with UID/GID of 0:0 > > > > > > otherwords > > > > > > jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh > > > > > > The argument is that way you don't hav to give out the root password, > > > you can just nuke a users UID=0 equiv account when the leave and not > > > have to change the real root account. > > > > This is a really /really/ REALLY bad idea. I had nightmare issues dealing > > with a network formerly run by a 'sysadmin' who thought every user that > > might need to do something as root should have a uidzero account. > > That's not the issue, however. > > The assumption is that you have several people who really are fully > qualified admins on the system in question, who really do need full > privileged access. The choice John describes is between giving these > trusted sysadmins the password for "root", or giving them (and them > alone) a UID 0 account as he describes (except that one would of course > use shadow passwords etc.)
Wrong. The choice is between having a single password for the user with id 0, and having multiple passwords for that same account. This is an abysmally bad idea, and shame on anybody encouraging it. See > > To put it in other terms, the choice being presented is between several > fully authorized sys admins sharing a single password for "root", or for > each of them to have a unique password, known only to them and shared > with nobody. These are the people who would have full privileged access > on the machine in any circumstance; the only issue is how they get that > access. > > In my past life working in a classified research facility, the following > policy was strictly enforced: every sysadmin had a user level account > and a root-equivalent account, and all normal work was done from the > user-level account; direct logins to the root-equivalent account were > disabled, so under normal circumstances the only means of getting uid 0 > access was through a user level login followed by an su to a unique > account; the password for "root" was locked in a vault, and could only > be retrieved in an emergency via a signout procedure, after which the > password was changed and a new one was put in the vault -- in practice > nobody used the "root" account for any purpose, except in emergencies. > In this environment sudo was used heavily, as well -- these > root-equivalent accounts were only for the sysadmins who had full access > to the system -- there were other admins who used sudo to handle many > routine system management tasks. > > This policy was arrived at after a lot of discussion, and it provides > some significant advantages. Most importantly, it allowed much better > management of privileged access: in a large facility systems get added > and modified frequently, sysadmins change responsibilities, emergencies > happen; and you can very easily get to a point where it is hard to know > just who currently has the password to the username "root" account. > (Fundamentally, all the arguments agains normal users sharing passwords > apply with even more force to passwords for privileged accounts.) > > Kent -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
msg05725/pgp00000.pgp
Description: PGP signature