On Wed, Oct 02, 2002 at 04:06:00PM -0400, woods@weird.com said:
[ On Wednesday, October 2, 2002 at 11:47:12 (-0700), Scott Francis wrote: ]
Subject: Re: Security Practices question
Absolutely so - which is why no account should have multiple equally valid passwords, which is what multiple accounts sharing a uid equates to.
Hold on a minute. You've taken this entirely out proportion for any reasonable real-world scenario!
that last should have been qualified s/no account should/the root account should not/
It's _NOT_ that bad. Not anywhere near.
The only real risk with having multiple superuser (UID == 0) accounts is when the system has some form of vulnerability which makes it reasonable for an attacker to guess the password. Now normally on any decently modern system the group of potential attackers who could even begin such an attack is limited strictly to those who are already members of the "wheel" group, and all of those people should already have the real root password anyway.
grr. Please read Barb's post about exactly why multiple aliases for the UID 0 account is a Bad Idea. It's not really about opening potential security vulnerabilities as much as it is about bad (lazy) administration.
The risks that a wheel-group member will execute a trojan of some sort that will help an attacker gain increased privileges are much higher than any of the risks directly associated with multiple UID==0 accounts!
Rubbish. There are no risks associated with members of gid 0 that are not also associated with accounts having UID 0 - and multiple accounts with UID 0 brings in a host of other issues and problems.
Different UID==0 accounts can have different home directories, and with careful implementation of certain tools the benefits of this mechanism also vastly outweigh the risks of having multiple UID==0 accounts.
bah. There is _nothing_ one could reasonably hope to accomplish by creating multiple accounts with UID 0 that could not be accomplished at least as easily, and vastly more safely, using sudo. (before anybody uses it as a defense, yes, there are a (very) few systems out there that sudo will not run on. That's not the debate here.)
Even just the benefit of being able to appease multiple human superusers with the abillity to specify different shells for their superuser account can be enough of a benefit to oughtweigh the risks (though of course with a small amount of training in the proper use of 'su', there really isn't any need to specify different default shells in the first place).
su isn't even needed. USE SUDO. I cannot believe that there are so many otherwise clueful people out there that apparently are unfamiliar with the fine-grained control and flexibility that this tool gives the admin (multiple shells, multiple environments, etc. etc. etc.)
You didn't give one solid example of a real-world threat or vulnerability for having multiple superuser (UID == 0) accounts. Not one. If you're going to say something is so bad that nobody should ever do it regardless then you'd better have some damned good solid threat analysis and risk assessment to back up your claim!
Trying to avoid yelling here. PLEASE go read Barb's excellent post on EXACTLY why multiple UID 0 accounts are a problem. She details multiple real risks and problems associated with this practice. I didn't list them because I thought it would surely not be too much to ask for those posting to the thread to READ the thread first, from the beginning. It's not that long.
The only thing you really said that stands up to analysis is your repeated assertion that multiple accounts with the same UID are, from the system's perspective, simply multiple ways to authenticate access to the same underlying system ID and thus to grant exactly the same authorisations. That is 100% true. What this really means, especially if the UID in question is zero(0), is that ultimately all activities that take place on the system are done with that unified UID and so there's no way to hold separate human users accountable for their actions. However in the case of UID==0 that's more or less true of 'su' even with just one "root" account. You have to trust superusers 101%,
I never advocated using su. *sigh* Use sudo.
regardless of how they authenticate to the system. In turn they, if there's more than one of them, must each be held equally responsible for any and all damage done by any superuser. If nobody confesses you can
Yes, there is trust that must be given along with superuser privs. The level of trust required can be MUCH LOWER using sudo, ACLs, or some other system. As opposed to just giving $admin or $user a blank check to do whatever they please. There was an excellent talk on exactly why the UNIX permissions scheme is archaic and needs to be replaced at ToorCon last weekend <http://www.toorcon.org>, but this is getting off-topic (even for this thread).
point fingers just as easily with 'login' logs as you can with 'su' logs, but in the end you cannot prove anything with those logs alone if its UID==0 (unless the logging is done securely in such a way that UID==0 cannot modify it). The finger pointing suggested by the logs _MUST_ be corroberated with an external verifiable alibi (or hopefully multiples!) (which, BTW, is essentially what any secure logging system is, and it doesn't matter if 'login' or 'su' generates the audit trail).
USE SUDO. Most people, even those with a legitimate need for superuser privileges, do not really need the ability to do EVERYTHING on the system as UID 0. Sure, it takes a bit more effort to setup, but I don't think anybody could argue that the gains in control, logging, security and authentication/authorization are not worth it.
Use sudo, use ssh keys from a central admin host, use ACLs - use whatever you like, but please don't create multiple aliases for an account and think it's anything but an invitation to disaster.
Sudo is a far worse solution, with a far higher false sense of security, than multiple UID==0 accounts, unless maybe you're using it purely and only for convenience and documentation purposes amongst a group of mutually trusting users who already each know the "real" root password anyway.
Can you back up that statement in /any/ way? What exactly are your reasons why sudo is a worse solution (or even a bad idea)? -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui