RE: [expert] users with same permissions as root
hi all well if i may jump into this discussion ... id like to share alternative ways instead of giving out root passwords... we have several machines with several admins and we use 'sudo' to give root priveleges to the admins. we dont even have to know the 'root' password to do root commands. the root password is kept by the head admin only. (of course, you shouldnt change the root password ;-) ) we also use SSH rsa/dsa identity on our load-balanced web servers. on these machines, we dont need root passwords, we just have to be able to login to one main machine with a correct ssh identity and key. from there as root, you can login to all the other machines directly just using ssh. well have a merry christmas and a happy new year too to all listers! cheers dianne --- John McQuillen <[EMAIL PROTECTED]> wrote: > On Mon, 2002-12-23 at 05:47, Brian York wrote: > > If you make all the root passwords on every > machine (17 linux machines) you > > are asking for more trouble than my way because > if an unauthorized user > > gets the root password then they can shut down > everthing. Were I work we > > have 83 machines (linux, VMS, windows) the > root/administrator password is > > different for each and VNC password is different. > Brush up on your security > > before you start telling people that they are > asking for troble. > > > > And another thing I don't know what you > affiliation with linux is and how > > you use it but when you login to a server it is > for superuser type > > activities any way. Its not you typical browse > around to see whats on it or > > experiment with "new commands". > > Yeah, but under your plan, your admins won't even > have an unprivileged > account to experiment with even if they wanted or > needed to. The first > thing most n00bs are taught about *nix, is 'DON'T > LOG ON AS ROOT', and > you're considering worse than this, you're > considering logging on as a > user, with root privs. > > The only reason I even suggested making all the root > passwords the same > was that you were worried that your admins wouldn't > be able to remember > a different password for each one. IMO this would be > better at least > than just giving root privileges to your admins user > accounts. > > Don't tell me to brush up on my security. You are > the one who seems > intent on allowing your admins to log in to your > systems with root > privileges. > > And by the way, I don't work day to day with linux, > but I do work in a > large network operations centre and I have loads of > admin passwords for > routers and switches to remember. If I can't > remember the password, I > can't get on. > > If you insist on giving root to your admins user > accounts, go ahead. > > And also by the way, you'd be asking for trouble. > Don't say I didn't > tell you so. > > John... > > > Want to buy your Pack or Services from MandrakeSoft? > > Go to http://www.mandrakestore.com > __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] users with same permissions as root
John McQuillen wrote: On Mon, 2002-12-23 at 11:57, J. Craig Woods wrote: Hey John, How do you really feel about this? drjung CRACK UP!!! My wife says this to me all the time - "Tell me how you really feel" :) Sorry if I got a bit carried away... I do tend to get a bit emotional at times. Kindest regards, John... Sorry Todd, it may be a bit off topic but let me just say to all the great people on this list (and the rest of you too): may you all have a very Merry Christmas, and may the new year bring us great Mandrake distros drjung Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] users with same permissions as root
On Mon, 2002-12-23 at 11:57, J. Craig Woods wrote: > > > Hey John, > > How do you really feel about this? > > drjung > CRACK UP!!! My wife says this to me all the time - "Tell me how you really feel" :) Sorry if I got a bit carried away... I do tend to get a bit emotional at times. Kindest regards, John... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] users with same permissions as root
LOL! Merry Christmas, Dr J. You too, John McQ. ;) --- "J. Craig Woods" <[EMAIL PROTECTED]> wrote: > John McQuillen wrote: > > >Yeah, but under your plan, your admins won't even have an unprivileged > >account to experiment with even if they wanted or needed to. The first > >thing most n00bs are taught about *nix, is 'DON'T LOG ON AS ROOT', and > >you're considering worse than this, you're considering logging on as a > >user, with root privs. > > > >The only reason I even suggested making all the root passwords the same > >was that you were worried that your admins wouldn't be able to remember > >a different password for each one. IMO this would be better at least > >than just giving root privileges to your admins user accounts. > > > >Don't tell me to brush up on my security. You are the one who seems > >intent on allowing your admins to log in to your systems with root > >privileges. > > > >And by the way, I don't work day to day with linux, but I do work in a > >large network operations centre and I have loads of admin passwords for > >routers and switches to remember. If I can't remember the password, I > >can't get on. > > > >If you insist on giving root to your admins user accounts, go ahead. > > > >And also by the way, you'd be asking for trouble. Don't say I didn't > >tell you so. > > > >John... > > > > > Hey John, > > How do you really feel about this? > > drjung > --LX __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] users with same permissions as root
John McQuillen wrote: Yeah, but under your plan, your admins won't even have an unprivileged account to experiment with even if they wanted or needed to. The first thing most n00bs are taught about *nix, is 'DON'T LOG ON AS ROOT', and you're considering worse than this, you're considering logging on as a user, with root privs. The only reason I even suggested making all the root passwords the same was that you were worried that your admins wouldn't be able to remember a different password for each one. IMO this would be better at least than just giving root privileges to your admins user accounts. Don't tell me to brush up on my security. You are the one who seems intent on allowing your admins to log in to your systems with root privileges. And by the way, I don't work day to day with linux, but I do work in a large network operations centre and I have loads of admin passwords for routers and switches to remember. If I can't remember the password, I can't get on. If you insist on giving root to your admins user accounts, go ahead. And also by the way, you'd be asking for trouble. Don't say I didn't tell you so. John... Hey John, How do you really feel about this? drjung Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] users with same permissions as root
On Mon, 2002-12-23 at 05:47, Brian York wrote: > If you make all the root passwords on every machine (17 linux machines) you > are asking for more trouble than my way because if an unauthorized user > gets the root password then they can shut down everthing. Were I work we > have 83 machines (linux, VMS, windows) the root/administrator password is > different for each and VNC password is different. Brush up on your security > before you start telling people that they are asking for troble. > > And another thing I don't know what you affiliation with linux is and how > you use it but when you login to a server it is for superuser type > activities any way. Its not you typical browse around to see whats on it or > experiment with "new commands". Yeah, but under your plan, your admins won't even have an unprivileged account to experiment with even if they wanted or needed to. The first thing most n00bs are taught about *nix, is 'DON'T LOG ON AS ROOT', and you're considering worse than this, you're considering logging on as a user, with root privs. The only reason I even suggested making all the root passwords the same was that you were worried that your admins wouldn't be able to remember a different password for each one. IMO this would be better at least than just giving root privileges to your admins user accounts. Don't tell me to brush up on my security. You are the one who seems intent on allowing your admins to log in to your systems with root privileges. And by the way, I don't work day to day with linux, but I do work in a large network operations centre and I have loads of admin passwords for routers and switches to remember. If I can't remember the password, I can't get on. If you insist on giving root to your admins user accounts, go ahead. And also by the way, you'd be asking for trouble. Don't say I didn't tell you so. John... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] users with same permissions as root
If you make all the root passwords on every machine (17 linux machines) you are asking for more trouble than my way because if an unauthorized user gets the root password then they can shut down everthing. Were I work we have 83 machines (linux, VMS, windows) the root/administrator password is different for each and VNC password is different. Brush up on your security before you start telling people that they are asking for troble. And another thing I don't know what you affiliation with linux is and how you use it but when you login to a server it is for superuser type activities any way. Its not you typical browse around to see whats on it or experiment with "new commands". Brian -Original Message- From: John McQuillen [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 8:22 PM To: [EMAIL PROTECTED] Subject: RE: [expert] users with same permissions as root On Sat, 2002-12-14 at 07:15, Brian York wrote: > Why would that be the best solution. Why is the difference? > > The deal is is they will be able to login to all the RedHat servers with > their usernames and won't have to remember the root password for each one. Sure, they should always log on with their usernames, but they shouldn't have root privileges unless they su to root. Normal user accounts don't have root privs for a very good reason. You shouldn't even trust yourself with root privs on your user account. If your admins can't remember the root password, they shouldn't be administering the system, IMHO... Make the root password for all the systems the same, rather than upping unprivileged accounts to superuser status. You are just asking for trouble, IMNSHO. Regards, John... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] users with same permissions as root
What about logs ? On Fri, 2002-12-13 at 18:09, logic7 wrote: > that's kinda defeating the whole purpose of root. there would be no > difference between giving them the root password and you all having the same > access as root under your logins. Your best bet is to NOT give them access > under their logins and make them use root. > > Sounds like you're a winNT/2k/XP admin. they're good for that. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Brian York > Sent: Friday, December 13, 2002 1:04 PM > To: '[EMAIL PROTECTED]' > Subject: [expert] users with same permissions as root > > > How can I setup users to have the same permissions and access to all > programs and files that root has? > I am one of 5 network admins and I don't want any of us to use root. > > Ownership of files can still be owned by each user but all 5 admins should > be able to wrx them. > > Thanks > Brian > > > > __ > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com -- Manuel Soto <[EMAIL PROTECTED]> Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] users with same permissions as root
On Friday, December 13, 2002, at 06:22 PM, John McQuillen wrote:
Why would that be the best solution. Why is the difference?
The deal is is they will be able to login to all the RedHat servers
with
their usernames and won't have to remember the root password for each
one.
Sure, they should always log on with their usernames, but they
shouldn't
have root privileges unless they su to root.
Never ever ever ever have users with uid 0. That is the worst possible
way to give an admin root access and you're absolutely asking for
trouble. All it takes is for someone to brute that users password and
you've happily handed them root access. At least if they need to su
(and know root's password) or use sudo (leaving an audit trail), you're
going to stop the vast majority of attacks (of that sort). Even having
sudo ask you for your own password, as opposed to root's, is safer.
Imagine you are uid 0 and you leave your workstation without a locked
screen and logged in. Even if it's on a remote system (more's the
better), if you've remained logged in, I've got root. Or imagine you
use ssh keys and use something like keychain that doesn't ask for your
passphrase. If you were using sudo to ask for your password, I'd only
have access as you, or would have to find a local exploit to obtain
root. If you just gave that user uid 0 with no checks or safeguards at
all, you've just made my job *real* easy.
Normal user accounts don't have root privs for a very good reason. You
shouldn't even trust yourself with root privs on your user account. If
your admins can't remember the root password, they shouldn't be
administering the system, IMHO...
*Exactly*.
Make the root password for all the systems the same, rather than upping
unprivileged accounts to superuser status. You are just asking for
trouble, IMNSHO.
I wouldn't do that. Make root on each system different. Use sudo
(without NOPASSWORD) to give users root access or, preferrably, give
them root to what they need and only what they need. If they need
something else later on, you can grant them access.
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
PGP.sig
Description: PGP signature
Re: [expert] users with same permissions as root
You might want to check out this link on the how's and why's of using sudo: http://www.mandrakesecure.net/en/docs/sudo.php -Jason On Friday 13 December 2002 03:15 pm, Brian York wrote: > Why would that be the best solution. Why is the difference? > > The deal is is they will be able to login to all the RedHat servers with > their usernames and won't have to remember the root password for each one. > > Brian > > -Original Message- > From: logic7 [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 13, 2002 1:09 PM > To: [EMAIL PROTECTED] > Subject: RE: [expert] users with same permissions as root > > that's kinda defeating the whole purpose of root. there would be no > difference between giving them the root password and you all having the > same access as root under your logins. Your best bet is to NOT give them > access under their logins and make them use root. > > Sounds like you're a winNT/2k/XP admin. they're good for that. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Brian York > Sent: Friday, December 13, 2002 1:04 PM > To: '[EMAIL PROTECTED]' > Subject: [expert] users with same permissions as root > > > How can I setup users to have the same permissions and access to all > programs and files that root has? > I am one of 5 network admins and I don't want any of us to use root. > > Ownership of files can still be owned by each user but all 5 admins should > be able to wrx them. > > Thanks > Brian -- = 'It's time to-' 'Prod buttock, sir?' said Carrot, hurriedly. 'Close,' said Vimes, taking a deep drag and blowing out a smoke ring, 'but no cigar.' (Feet of Clay) Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] users with same permissions as root
On Sat, 2002-12-14 at 07:15, Brian York wrote: > Why would that be the best solution. Why is the difference? > > The deal is is they will be able to login to all the RedHat servers with > their usernames and won't have to remember the root password for each one. Sure, they should always log on with their usernames, but they shouldn't have root privileges unless they su to root. Normal user accounts don't have root privs for a very good reason. You shouldn't even trust yourself with root privs on your user account. If your admins can't remember the root password, they shouldn't be administering the system, IMHO... Make the root password for all the systems the same, rather than upping unprivileged accounts to superuser status. You are just asking for trouble, IMNSHO. Regards, John... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] users with same permissions as root
You can have everyone in /etc/sudoers and have everyone sudo bash when they login as themselves. On Friday 13 December 2002 11:03 am, Brian York wrote: > How can I setup users to have the same permissions and access to all > programs and files that root has? > I am one of 5 network admins and I don't want any of us to use root. > > Ownership of files can still be owned by each user but all 5 admins should > be able to wrx them. > > Thanks > Brian -- Vasiliy Boulytchev Colorado Information Technologies Inc. (719) 473-2800 x15 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] users with same permissions as root
If you take the line from /etc/passwd james:x:502:501:james:/home/james:/bin/bash and change it to james:x:0:0:james:/home/james:/bin/bash The above is a hack for existing users better way is adduser -o -u 0 newuser -p password -g root and create a new user. That user is now equal to root. and yes I can see the advantage to this ... you know who is compromised, who screwed up what etc. Login files are good for this. I've created a second "root" user for years... My people su to a second root user and never know the true root password.. Then I know who was working as root and when, and I know when someone does su to root (can't log in directly as root.) I've been hacked and big bells go off so to speak. It's an old Unix thing, came over to Linux with me. (Not a windows thing I barely know how to operate that OS.*grin*) James On Fri, 2002-12-13 at 12:15, Brian York wrote: > Why would that be the best solution. Why is the difference? > > The deal is is they will be able to login to all the RedHat servers with > their usernames and won't have to remember the root password for each one. > > Brian > > -Original Message- > From: logic7 [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 13, 2002 1:09 PM > To: [EMAIL PROTECTED] > Subject: RE: [expert] users with same permissions as root > > that's kinda defeating the whole purpose of root. there would be no > difference between giving them the root password and you all having the same > access as root under your logins. Your best bet is to NOT give them access > under their logins and make them use root. > > Sounds like you're a winNT/2k/XP admin. they're good for that. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Brian York > Sent: Friday, December 13, 2002 1:04 PM > To: '[EMAIL PROTECTED]' > Subject: [expert] users with same permissions as root > > > How can I setup users to have the same permissions and access to all > programs and files that root has? > I am one of 5 network admins and I don't want any of us to use root. > > Ownership of files can still be owned by each user but all 5 admins should > be able to wrx them. > > Thanks > Brian > > > > > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] users with same permissions as root
If you use sudo you'll get the same effect together with a log of who's doing what. On Fri, 2002-12-13 at 12:15, Brian York wrote: > Why would that be the best solution. Why is the difference? > > The deal is is they will be able to login to all the RedHat servers with > their usernames and won't have to remember the root password for each one. > > Brian > > -Original Message- > From: logic7 [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 13, 2002 1:09 PM > To: [EMAIL PROTECTED] > Subject: RE: [expert] users with same permissions as root > > that's kinda defeating the whole purpose of root. there would be no > difference between giving them the root password and you all having the same > access as root under your logins. Your best bet is to NOT give them access > under their logins and make them use root. > > Sounds like you're a winNT/2k/XP admin. they're good for that. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Brian York > Sent: Friday, December 13, 2002 1:04 PM > To: '[EMAIL PROTECTED]' > Subject: [expert] users with same permissions as root > > > How can I setup users to have the same permissions and access to all > programs and files that root has? > I am one of 5 network admins and I don't want any of us to use root. > > Ownership of files can still be owned by each user but all 5 admins should > be able to wrx them. > > Thanks > Brian > > > > > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com -- Jack Coates Monkeynoodle: A Scientific Venture... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] users with same permissions as root
Why would that be the best solution. Why is the difference? The deal is is they will be able to login to all the RedHat servers with their usernames and won't have to remember the root password for each one. Brian -Original Message- From: logic7 [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 1:09 PM To: [EMAIL PROTECTED] Subject: RE: [expert] users with same permissions as root that's kinda defeating the whole purpose of root. there would be no difference between giving them the root password and you all having the same access as root under your logins. Your best bet is to NOT give them access under their logins and make them use root. Sounds like you're a winNT/2k/XP admin. they're good for that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian York Sent: Friday, December 13, 2002 1:04 PM To: '[EMAIL PROTECTED]' Subject: [expert] users with same permissions as root How can I setup users to have the same permissions and access to all programs and files that root has? I am one of 5 network admins and I don't want any of us to use root. Ownership of files can still be owned by each user but all 5 admins should be able to wrx them. Thanks Brian Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] users with same permissions as root
On Fri, 2002-12-13 at 10:03, Brian York wrote: > How can I setup users to have the same permissions and access to all > programs and files that root has? > I am one of 5 network admins and I don't want any of us to use root. > > Ownership of files can still be owned by each user but all 5 admins should > be able to wrx them. > > Thanks > Brian put them in group wheel, install sudo, as root visudo and enable access for group wheel. -- Jack Coates Monkeynoodle: A Scientific Venture... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] users with same permissions as root
On Fri, 13 Dec 2002, Brian York wrote: > How can I setup users to have the same permissions and access to all > programs and files that root has? > I am one of 5 network admins and I don't want any of us to use root. > > Ownership of files can still be owned by each user but all 5 admins should > be able to wrx them. You can create a new group then assign these file to that group. For example, the /sbin/ifconfig file has the following permissions: -rwxr-x---1 root root48316 Oct 3 2000 /sbin/ifconfig rwx for owner r x for group none for other You can chgrp the file to, say, the wheel group then add the other admins to the wheel group. As for access to the programs, make sure that the /sbin and /usr/sbin directories are in the admin's PATH. If not, you'll get a "command not found" error when you type the commands at the shell. Access to these files won't automatically grant permissions to change privileged configurations however. There are things you can do to allow it, but it may be easier to enforce a policy that all admins must login with their own ID then su to root to make changes. This way the logfiles will leave an audit trail. There are also programs such as sudo that will allow non-privileged users to run restricted commands with su privileges. There's also a way to make a binary run as the owner of the file but this can be dangerous in many circumstances. I.e., if the program allows shell access or the ability to interact in any way with the filesystem, then the user can easily elevate their privileges. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] users with same permissions as root
that's kinda defeating the whole purpose of root. there would be no difference between giving them the root password and you all having the same access as root under your logins. Your best bet is to NOT give them access under their logins and make them use root. Sounds like you're a winNT/2k/XP admin. they're good for that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian York Sent: Friday, December 13, 2002 1:04 PM To: '[EMAIL PROTECTED]' Subject: [expert] users with same permissions as root How can I setup users to have the same permissions and access to all programs and files that root has? I am one of 5 network admins and I don't want any of us to use root. Ownership of files can still be owned by each user but all 5 admins should be able to wrx them. Thanks Brian Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
