Re: Security Practices question

[Scott Francis <darkuncle () darkuncle net>]

On Tue, Oct 01, 2002 at 02:43:41PM -0700, kent () songbird com said:
[snip]
> On Mon, Sep 23, 2002 at 02:44:34PM -0700, Scott Francis wrote:
> > On Sun, Sep 22, 2002 at 03:22:11PM -0700, john () chagresventures com said:
> > > I have question for the security community on NANOG.
> > >
> > > What is your learned opinion of having host accounts
> > > (unix machines) with UID/GID of 0:0 
> > >
> > > otherwords
> > >
> > > jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
> > >
> > > The argument is that way you don't hav to give out the root password,
> > > you can just nuke a users UID=0 equiv account when the leave and not
> > > have to change the real root account.
> >
> > This is a really /really/ REALLY bad idea. I had nightmare issues dealing
> > with a network formerly run by a 'sysadmin' who thought every user that 
> > might need to do something as root should have a uidzero account.
>
> That's not the issue, however.
>
> The assumption is that you have several people who really are fully
> qualified admins on the system in question, who really do need full
> privileged access.  The choice John describes is between giving these
> trusted sysadmins the password for "root", or giving them (and them
> alone) a UID 0 account as he describes (except that one would of course 
> use shadow passwords etc.)

Wrong. The choice here is between having one password for the account with
uid zero, and having multiple, equally valid passwords for that same
account. This is an abysmally bad idea, and shame on anybody that encourages
it. See Barb Dijker's reply in this thread for more details on why.

> To put it in other terms, the choice being presented is between several
> fully authorized sys admins sharing a single password for "root", or for
> each of them to have a unique password, known only to them and shared
> with nobody.  These are the people who would have full privileged access
> on the machine in any circumstance; the only issue is how they get that
> access. 

Still wrong - with multiple entries in /etc/passwd sharing a single UID, you
end up with multiple passwords for the same exact user, as far as the system
is concerned. The name placed with that user id is strictly a human
convention - to the system, it's all the same user, multiple aliases
notwithstanding.

> In my past life working in a classified research facility, the following
> policy was strictly enforced: every sysadmin had a user level account
> and a root-equivalent account, and all normal work was done from the
> user-level account; direct logins to the root-equivalent account were
> disabled, so under normal circumstances the only means of getting uid 0
> access was through a user level login followed by an su to a unique
> account; the password for "root" was locked in a vault, and could only

which was a waste of time - every account with a UID of zero already HAD a
password for root. In the case mentioned, root had not one but one + (number
of non-root uid zero accounts) passwords, all equally valid. (Unless of
course the system in question was running some bizarre version of UNIX
dissimilar to every other I have seen.)

> be retrieved in an emergency via a signout procedure, after which the
> password was changed and a new one was put in the vault -- in practice
> nobody used the "root" account for any purpose, except in emergencies. 
> In this environment sudo was used heavily, as well -- these
> root-equivalent accounts were only for the sysadmins who had full access
> to the system -- there were other admins who used sudo to handle many 
> routine system management tasks.

There is no reason to have multiple UID zero accounts. In the very best of
scenarios, it's a horrible kludge and an excuse for lazy admins to avoid
using sudo properly. That's in the _best_ of scenarios.

> This policy was arrived at after a lot of discussion, and it provides
> some significant advantages.  Most importantly, it allowed much better

I would _love_ to hear what advantages this provided.

> management of privileged access: in a large facility systems get added
> and modified frequently, sysadmins change responsibilities, emergencies
> happen; and you can very easily get to a point where it is hard to know
> just who currently has the password to the username "root" account. 

Every individual with an account that has a uid of zero had the root
password. Again, see Barb Dijker's mail for more on this.

> (Fundamentally, all the arguments agains normal users sharing passwords
> apply with even more force to passwords for privileged accounts.)

Absolutely so - which is why no account should have multiple equally valid
passwords, which is what multiple accounts sharing a uid equates to.

Use sudo, use ssh keys from a central admin host, use ACLs - use whatever you
like, but please don't create multiple aliases for an account and think it's
anything but an invitation to disaster.

> Kent

-- 
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui

Attachment: _bin
Description: