[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudo questions

On 8/16/2013 8:31 AM, berenger.morel@neutralite.org wrote:
Le 15.08.2013 04:11, Richard Hector a écrit :
By using su, with root's password, that means everyone who has root has
full root and knows the same password, so that will have to be changed
if they are to be blocked, which means communicating the new password to
all the required users.

I apologize, but I think that this statement about everyone with root
access having the same password is wrong.
You can just create an root account for every people with root access,
giving them the ID 0 and you will not need to communicate highly
sensitive passwords.

Which would be a major security risk. You do NOT want a bunch of ids with root privileges. Nor do you want anyone but the system administrator (and backup) to have full root access to the system.

Also, if we speak about high security or accounts ( which is something I
will probably never have to work with ) , I think that if one day I have
to administrate a server, I would try to rename root into something
else. Why? Because everyone knows ( ok, every potential attacker ) the
name of root, which means half the informations needed to login in it (
yes, I know that root passwords should be safe, but there are 2 ways to
protect something: put it into a giant, unbreakable safe, or simply
hiding it. Combining both seems always better to me. ) . Of course, I'm
sure that this would imply to work around few things on usual systems...

I've worked with high security servers. Renaming root isn't really much added security. Rather, you need to prevent root from logging in remotely, which is quite easy to do.

Once a user is logged in, they can use sudo or su to access additional privileges; these do not need to know the name of the root account.

Preventing root login from remote systems is much more secure than renaming the account.

Well, I am not a sysadmin (and to be honest, most of my accounts are
easy to stole, including the root password of my personal computers), so
I might be wrong in some of my phrases. If so, please correct me.

My 2 cents.

Reply to: