Re: shared root account
Nice little storm of a chain I managed to start here... Quite off
the original topic, mainly, where I trust the users. Many good points
have been noted and basically all of them have been argued both pro and
con. I will do a little summary here:
1) Some people like sudo, some think it is not secure enough. In my
situation, where I am not worried about legitimate users trying
to get elevated privileges, this might just work. On the other
hand, the point that sudo elevates ordinary users' passwords into
root passwords obviously makes it easier for an illegitimate user
to gain root - it suffices to gain any sudoer's password and then
employing any of the methods mentioned here to gain root with
sudo regardless of the permissions allowed to that users by sudo.
Solution to that would be expiring passwords and installing some
password sanity checker - that way at least the users' passwords
ought to be fairly good and new, i.e. hard to crack. Of course if
someone cracks user A, who is NOT a sudoer and attempts to sudo,
we get log entries and even if A IS a sudoer, but the culprit has
simply managed to spawn A's shell and is trying to sudo, we get
log entries. No use of sudo's logging, as noted earlier, if the
attacker really has the password of a sudoer: logs can be cleaned
unless they are a) sent to another, secure, machine or b) they
are written to a write-once medium (anyone logging onto paper or
CD, for example? - grepping a paper ought to be ... fun?).
2) A few people like ssh RSA-auth. Good idea. But I may (will) need
access to these machines in situations when there is no network,
i.e. running manual fsck's after a power failure. No way of
ssh'ing into the box at that time. I will need the root password
anyway.
3) A few people would create additional uid=0 accounts. Since my
situation is akin to one with multiple admins trusting each other
(more exactly - it's _they_ who are trusting _me_, not the other
way around), this might be a good idea. No one would have to get
familiar with sudo (I know that would cause some resistance - it
would be viewed as something they do not need to get accustomed
to) and I would get my root. Of course, sudo would give me nice
logs of what the others have done - which is quite important if I
am to keep the boxes secure: not knowing what's been changed
makes that pretty hard. This is my option number 2 anyway, if
people resist learning to type 'sudo' instead of logging in as
root or saying 'su'.
4) Someone also noted that having linux workstations in the first place
is a bad idea due the X's flawed security but I do not seem to remember
any way of popping up windows on someone else's display when X
server is properly configured (i.e. only to accept connections
from localhost with a proper MIT secret cookie (or other auth
mechanism).
As I said above, in my situation, sudo is very appealing: keeping
root password to myself and letting the workstation users sudo (or vice
versa). One question raises however: If I have multiple uid=0 accounts,
will any of their passwords suffice as "root" password when entering
single user mode? Obviously sudo will not do here, so I will need a
root password, period. The other users will have to make do with either
sudo or multiple uid=0 accounts. Multiple uid=0 accounts sounds better
in that it does not elevate ordinary passwords into root passwords (of
course, in practice people may keep them the same - can that be
helped?) but on the other hand, sudo would log... I will have to see
how much use of their root accounts these people really make.
Although many of the replies did not answer my question at all, some
of them had good points, thanks to those.
--
-----------------------------------------------
| Juha Jäykkä, juolja@utu.fi |
| home: http://www.utu.fi/~juolja/ |
-----------------------------------------------
Reply to: