Re: shared root account

To: debian-security@lists.debian.org
Subject: Re: shared root account
From: Jason Healy <jhealy@logn.net>
Date: Tue, 10 Jul 2001 08:31:20 -0400
Message-id: <[🔎] 20010710083120.A9903@logn.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20010709235637.H26109@plato.local.lan>
References: <[🔎] Pine.SOL.4.30.0107091039390.252-100000@alya.utu.fi> <[🔎] 20010709093312.A2867@logn.net> <[🔎] 20010709161810.C26109@plato.local.lan> <[🔎] 20010709203856.A24194@furrr.two14.net> <[🔎] 20010709235637.H26109@plato.local.lan>

At 994740997s since epoch (07/10/01 03:56:37 -0400 UTC), Ethan Benson wrote:
> detectability is the key here, the case should be locked shut ...
>
> compare this to your envolope idea where the machine need not even be
> shutdown and tell me which is more likely to go by unnoticed. 

Okay, we've all drifted pretty far here.  I was only describing one
particular setup that we used.  My point was to emphasize the use of
sudo, and the fact that nobody knew the root password.  There were
specific circumstances that caused the use of the "envelope" system.
As always, everyone has to weigh security against usability.

Just so you know, the box in question was a student webserver at my
college.  It was run purely by students, and we had several admins.
The machine lived in the college's machine room, which had door locks
and an alarm system.  If the students were away on vacation and the
machine needed a reboot (or fsck, or whatever), the college IT staff
could be paged in and use the envelope to get root on the box.

It was *reasonable* to assume that nobody would break into the machine
room without tripping the alarm system.  It was *reasonable* to assume
that the IT staff wouldn't go rooting our box for fun when we weren't
around.  Again, it all comes down to trust at one point or another.
We could have welded the case shut and kept the root password in a
fireproof safe with a hair-trigger self-destruct mechanism, but we're
a student group, not the CIA.  We make backups, and so the setup above
gave us enough security to feel comfortable without driving everyone
nuts.

Same should go for everyone.  If it's your company's payroll machine,
then perhaps some of the other measures described are appropriate.  If
it's a public lab machine, then obviously sticking an envelope to it
would be foolish.  Each situation dictates different security measures.

Anyway, like I said, my story was more about using sudo (that is,
theoretically, what this thread is about), and less about how to
implement physical security at any given location.  That discussion is
interesting, but bear in mind that physical security should be very
closely tied to the environment.  My story was just for illustration.

Rock on,

Jason

--
Jason Healy    |     jhealy@logn.net
LogN Systems   |   http://www.logn.net/

Reply to:

References:
- Re: shared root account
  - From: Juha Jäykkä <juolja@utu.fi>
- Re: shared root account
  - From: Jason Healy <jhealy@logn.net>
- Re: shared root account
  - From: Ethan Benson <erbenson@alaska.net>
- Re: shared root account
  - From: maney@pobox.com (Martin Maney)
- Re: shared root account
  - From: Ethan Benson <erbenson@alaska.net>

Prev by Date: Unidentified subject!
Next by Date: nomail
Previous by thread: Re: shared root account
Next by thread: Attack alert from snort
Index(es):
- Date
- Thread