On Tue, Oct 01, 2002 at 02:43:41PM -0700, kent@songbird.com said: [snip]
I have question for the security community on NANOG.
What is your learned opinion of having host accounts (unix machines) with UID/GID of 0:0
otherwords
jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
The argument is that way you don't hav to give out the root password, you can just nuke a users UID=0 equiv account when the leave and not have to change the real root account.
This is a really /really/ REALLY bad idea. I had nightmare issues dealing with a network formerly run by a 'sysadmin' who thought every user that might need to do something as root should have a uidzero account.
That's not the issue, however.
The assumption is that you have several people who really are fully qualified admins on the system in question, who really do need full privileged access. The choice John describes is between giving these trusted sysadmins the password for "root", or giving them (and them alone) a UID 0 account as he describes (except that one would of course use shadow passwords etc.)
Wrong. The choice is between having a single password for the user with id 0, and having multiple passwords for that same account. This is an abysmally bad idea, and shame on anybody encouraging it. See
To put it in other terms, the choice being presented is between several fully authorized sys admins sharing a single password for "root", or for each of them to have a unique password, known only to them and shared with nobody. These are the people who would have full privileged access on the machine in any circumstance; the only issue is how they get that access.
In my past life working in a classified research facility, the following policy was strictly enforced: every sysadmin had a user level account and a root-equivalent account, and all normal work was done from the user-level account; direct logins to the root-equivalent account were disabled, so under normal circumstances the only means of getting uid 0 access was through a user level login followed by an su to a unique account; the password for "root" was locked in a vault, and could only be retrieved in an emergency via a signout procedure, after which the password was changed and a new one was put in the vault -- in practice nobody used the "root" account for any purpose, except in emergencies. In this environment sudo was used heavily, as well -- these root-equivalent accounts were only for the sysadmins who had full access to the system -- there were other admins who used sudo to handle many routine system management tasks.
This policy was arrived at after a lot of discussion, and it provides some significant advantages. Most importantly, it allowed much better management of privileged access: in a large facility systems get added and modified frequently, sysadmins change responsibilities, emergencies happen; and you can very easily get to a point where it is hard to know just who currently has the password to the username "root" account. (Fundamentally, all the arguments agains normal users sharing passwords apply with even more force to passwords for privileged accounts.)
Kent
-- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui