Re: recent etch upgrade... sashroot (uid=0) started to impersonate uid=0 (root)

To: debian-devel@lists.debian.org
Subject: Re: recent etch upgrade... sashroot (uid=0) started to impersonate uid=0 (root)
From: Russ Allbery <rra@debian.org>
Date: Mon, 12 Feb 2007 19:22:41 -0800
Message-id: <[🔎] 873b5azqpq.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20070213025804.GG10550@washoe.onerussian.com> (Yaroslav Halchenko's message of "Mon, 12 Feb 2007 21:58:06 -0500")
References: <[🔎] 20070212212214.GE10550@washoe.onerussian.com> <[🔎] 20070212223200.GD7627@mauritius.dodds.net> <[🔎] 20070212231052.GF10550@washoe.onerussian.com> <[🔎] 20070213025804.GG10550@washoe.onerussian.com>

Yaroslav Halchenko <debian@onerussian.com> writes:

> Actually it seems to be not mine, and not sash fault -- it seems to be a
> common practice mentioned in multiple howto's around the web such like
> http://linuxgazette.net/issue48/tag/16.html

It's a really *bad* common practice.  Use of the root account in general
should be minimized and ideally done through an auditing method; creating
*more* root-level accounts, particularly with separate passwords, can
cause all sorts of interesting problems.  I've worked in organizations
that did this as a matter of course and seen disaster as a result.

The reason why sash does this is different than the reason why people
usually talk about it on the web, but while the sash use makes a moderate
amount of sense at first glance, I'm not sure how often it's really useful
compared to booting single-user or just changing the shell of the root
account itself and normally using sudo.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: recent etch upgrade... sashroot (uid=0) started to impersonate uid=0 (root)
  - From: Yaroslav Halchenko <debian@onerussian.com>

References:
- recent etch upgrade... sashroot (uid=0) started to impersonate uid=0 (root)
  - From: Yaroslav Halchenko <debian@onerussian.com>
- Re: recent etch upgrade... sashroot (uid=0) started to impersonate uid=0 (root)
  - From: Steve Langasek <vorlon@debian.org>
- Re: recent etch upgrade... sashroot (uid=0) started to impersonate uid=0 (root)
  - From: Yaroslav Halchenko <debian@onerussian.com>
- Re: recent etch upgrade... sashroot (uid=0) started to impersonate uid=0 (root)
  - From: Yaroslav Halchenko <debian@onerussian.com>

Prev by Date: Re: RFC: use readable $(cmd) syntax instead of unreadable `cmd`
Next by Date: Re: Handling of (inactive) Debian Accounts
Previous by thread: Re: recent etch upgrade... sashroot (uid=0) started to impersonate uid=0 (root)
Next by thread: Re: recent etch upgrade... sashroot (uid=0) started to impersonate uid=0 (root)
Index(es):
- Date
- Thread