Le 15.08.2013 04:11, Richard Hector a écrit :
By using su, with root's password, that means everyone who has root has
full root and knows the same password, so that will have to be changed
if they are to be blocked, which means communicating the new password to
all the required users.
I apologize, but I think that this statement about everyone with root
access having the same password is wrong.
You can just create an root account for every people with root access,
giving them the ID 0 and you will not need to communicate highly
sensitive passwords.
Also, if we speak about high security or accounts ( which is something I
will probably never have to work with ) , I think that if one day I have
to administrate a server, I would try to rename root into something
else. Why? Because everyone knows ( ok, every potential attacker ) the
name of root, which means half the informations needed to login in it (
yes, I know that root passwords should be safe, but there are 2 ways to
protect something: put it into a giant, unbreakable safe, or simply
hiding it. Combining both seems always better to me. ) . Of course, I'm
sure that this would imply to work around few things on usual systems...
Well, I am not a sysadmin (and to be honest, most of my accounts are
easy to stole, including the root password of my personal computers), so
I might be wrong in some of my phrases. If so, please correct me.
My 2 cents.