[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: shared root account

At 994443564s since epoch (07/06/01 06:19:24 -0400 UTC), Juha J?ykk? wrote:
>   I distrust allowing root logins from anywhere but local console(s)
> or non-modem gettys i.e. from anywhere over the not-owned-by-me cable.
>   Any other ideas? Or is it really safe to allow root logins to sshd?
> It is just an old rule of thumb that root must never log on over the
> wire but that may be old news from times of telnet - never had any
> need of root logins over the wire until perhaps now.

I agree with others here: use sudo.  Even on my own box I use sudo,
rather than using my root password.

I worked at a company where all the employees had their own linux box.
We gave them sudo on their own machines, but only the IT staff had
root on the boxes.  This way, the staff could do updates (they set up
an "admin" account with sudo), and the users could fudge their own
configs, but nobody needed actual 'root' to do anything.

I do not recommend the UID=0 trick.  Too many ways to make typos and
hose your passwd file.  Also, sudo leaves a nice audit trail, and has
many more features that you may find handy in the future (such as the
ability to restrict commands run as root, times of day, types of
passwords accepted to run root commands, etc).

Finally, if you're doing a lot of work and don't want to have to keep
typing "sudo" in front of everything, try:

sudo -s

To get a root shell.

Jason

--
Jason Healy    |     jhealy@logn.net
LogN Systems   |   http://www.logn.net/
Reply to: