Le 16.08.2013 17:50, Jerry Stuckle a écrit :
On 8/16/2013 11:08 AM, berenger.morel@neutralite.org wrote:Le 16.08.2013 16:03, Jerry Stuckle a écrit :On 8/16/2013 8:31 AM, berenger.morel@neutralite.org wrote:Le 15.08.2013 04:11, Richard Hector a écrit :By using su, with root's password, that means everyone who has root has full root and knows the same password, so that will have to be changedif they are to be blocked, which means communicating the new password to all the required users.I apologize, but I think that this statement about everyone with rootaccess having the same password is wrong.You can just create an root account for every people with root access,giving them the ID 0 and you will not need to communicate highly sensitive passwords.Which would be a major security risk. You do NOT want a bunch of idswith root privileges. Nor do you want anyone but the system administrator (and backup) to have full root access to the system.Why would it be worse than a shared admin account? For the sharedaccount, I can easily understand why it's not something to do, but I cannot see the problem with multiple "root" accounts?(I did not said that the admins should use them for daily tasks, justthat it was possible to use that to avoid changing a password when someone lost his rights.)It is that many more accounts with root access that can be broken into, and you have to protect against hackers.
Now I see the point, thanks.
You should only have two (in large shops maybe 3) people with full root access - that admin and his/her backup(s). Then you prevent'root' from being logged into remotely. Finally, you give people withthe need for *some* special access limited access to those resources.
I see. So here I can see why to use sudo, for it's granularity for servers. I have no idea if such granularity could be made with su (maybe with groups I guess, but it would be limited to files, so would be useless for root programs).
It is far safer for those two or three who need root access to log in with their own id then su to get to root.
Given that Debian does it (forbid remote root access) and that I am always use su locally, I already do that. Happy to learn that it's a good thing.
Please read up on system administration and linux security in general. Properly securing a system is a systematic process with lots of things to consider. It is not something you can learn in a few usenet messages.
Of course, I can not learn such a complex thing just by few messages.I simply took the occasion to learn and understand one thing. I do not really have the time to learn system security, I still have a lot of things to learn about programming, which is my job (without speaking about simple system maintenance and/or the use of tools I can discover at random through aptitude. I still feel like a newbie despite my years of using debian...). But it does not means that I limit my curiosity to programming... after all, how could someone write a good program if he only knows programming? I like to say that the main programmers' qualities are curiosity and laziness, which are usually considered being problems ;)