[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: shared root account



At 994418143s since epoch (07/06/01 10:15:43 -0400 UTC), Ethan Benson wrote:
> On Fri, Jul 06, 2001 at 09:18:18AM -0400, Jason Healy wrote:
> > types of
> > passwords accepted to run root commands, etc).
> 
> elaborate.
> 
> the main reason i don't use sudo except for small things which cannot
> grant a root shell in any way is for the simple reason the sudo
> converts a normal unprivleged user password into another root
> password.  

I'm not a sudo expert, but I do use it and like it.  I'll try to
answer the questions asked here, but you really should READ THE DOCS
before you believe everything I say.

To your point (types of passwords), you can configure sudo (I think
using PAM) to only work with user passwords, or one-time passwords
(OTP), or whatever else PAM will take.  This allows you to force sudo
users to use passwords other than their standard account passwords.
I'm a fan of OTP because when used correctly they're very secure, even
over insecure connections (telnet).

Other people asked why sudo is better than su.  The main reason is
audit trail; sudo keeps logs of commands.  Additionally, you can grant
limited command access to people.  Admittedly, most commands can be
leveraged to gain full root privs (shells, editors, cat, chmod, and so
on), so you need to TRUST people you're giving sudo to.  However, sudo
is never any more dangerous than plain old su, if you think about it.

Also, you don't want root logins to be a normal thing.  You want to
KNOW if root is logged in on your box.  Script kiddies trying to get
in will try to get in as root first.  If you often log in as root,
it's less likely that you'll notice if someone else logs in as root.
Also, if you never use root as your login, you can restrict it
severely (only allow root logins on the console, for example).

Kiddies who break into user accounts pose less of a threat.  Sure, one
of those user accounts might be sudo-enabled, but to find out for
sure, they have to run a command under sudo.  If they aren't in the
sudoers file, then sudo will log the incident and e-mail it to root.
The odds of a script kiddie randomly hacking a sudo-enabled account on
a box with hundreds of accounts is very low.  Especially because
anybody you give sudo to should be extra careful about security.

Whew... that was a rant.  Anyway, here are my tips for using sudo
well.  Feel free to add your own:

1) Trust the people you give sudo to (assume they can get root with
   whatever access you give them)

2) Make sure those people are extra anal about security (secure logins,
   good passwords, etc)

3) Check your logs religiously

4) Disable root from logging in, except from the console

5) Never log in as root.  Use 'sudo -s' to get a shell if you must

6) Clamp down sudo as much as you are comfortable with, but don't drive
   people nuts.  For example, think about using OTP, but don't do it if
   people are going to hate it so much that they'll undermine the
   system.


Jason
--
Jason Healy    |     jhealy@logn.net
LogN Systems   |   http://www.logn.net/



Reply to: