On Tue, Oct 01, 2002 at 02:43:41PM -0700, kent@songbird.com said: [snip]
On Mon, Sep 23, 2002 at 02:44:34PM -0700, Scott Francis wrote:
On Sun, Sep 22, 2002 at 03:22:11PM -0700, john@chagresventures.com said:
I have question for the security community on NANOG.
What is your learned opinion of having host accounts (unix machines) with UID/GID of 0:0
otherwords
jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
The argument is that way you don't hav to give out the root password, you can just nuke a users UID=0 equiv account when the leave and not have to change the real root account.
This is a really /really/ REALLY bad idea. I had nightmare issues dealing with a network formerly run by a 'sysadmin' who thought every user that might need to do something as root should have a uidzero account.
That's not the issue, however.
The assumption is that you have several people who really are fully qualified admins on the system in question, who really do need full privileged access. The choice John describes is between giving these trusted sysadmins the password for "root", or giving them (and them alone) a UID 0 account as he describes (except that one would of course use shadow passwords etc.)
Wrong. The choice here is between having one password for the account with uid zero, and having multiple, equally valid passwords for that same account. This is an abysmally bad idea, and shame on anybody that encourages it. See Barb Dijker's reply in this thread for more details on why.
To put it in other terms, the choice being presented is between several fully authorized sys admins sharing a single password for "root", or for each of them to have a unique password, known only to them and shared with nobody. These are the people who would have full privileged access on the machine in any circumstance; the only issue is how they get that access.
Still wrong - with multiple entries in /etc/passwd sharing a single UID, you end up with multiple passwords for the same exact user, as far as the system is concerned. The name placed with that user id is strictly a human convention - to the system, it's all the same user, multiple aliases notwithstanding.
In my past life working in a classified research facility, the following policy was strictly enforced: every sysadmin had a user level account and a root-equivalent account, and all normal work was done from the user-level account; direct logins to the root-equivalent account were disabled, so under normal circumstances the only means of getting uid 0 access was through a user level login followed by an su to a unique account; the password for "root" was locked in a vault, and could only
which was a waste of time - every account with a UID of zero already HAD a password for root. In the case mentioned, root had not one but one + (number of non-root uid zero accounts) passwords, all equally valid. (Unless of course the system in question was running some bizarre version of UNIX dissimilar to every other I have seen.)
be retrieved in an emergency via a signout procedure, after which the password was changed and a new one was put in the vault -- in practice nobody used the "root" account for any purpose, except in emergencies. In this environment sudo was used heavily, as well -- these root-equivalent accounts were only for the sysadmins who had full access to the system -- there were other admins who used sudo to handle many routine system management tasks.
There is no reason to have multiple UID zero accounts. In the very best of scenarios, it's a horrible kludge and an excuse for lazy admins to avoid using sudo properly. That's in the _best_ of scenarios.
This policy was arrived at after a lot of discussion, and it provides some significant advantages. Most importantly, it allowed much better
I would _love_ to hear what advantages this provided.
management of privileged access: in a large facility systems get added and modified frequently, sysadmins change responsibilities, emergencies happen; and you can very easily get to a point where it is hard to know just who currently has the password to the username "root" account.
Every individual with an account that has a uid of zero had the root password. Again, see Barb Dijker's mail for more on this.
(Fundamentally, all the arguments agains normal users sharing passwords apply with even more force to passwords for privileged accounts.)
Absolutely so - which is why no account should have multiple equally valid passwords, which is what multiple accounts sharing a uid equates to. Use sudo, use ssh keys from a central admin host, use ACLs - use whatever you like, but please don't create multiple aliases for an account and think it's anything but an invitation to disaster.
Kent
-- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui