Re: Security Practices question

[Scott Francis <darkuncle () darkuncle net>]

On Tue, Oct 01, 2002 at 02:43:41PM -0700, kent () songbird com said:
[snip]
> > > I have question for the security community on NANOG.
> > >
> > > What is your learned opinion of having host accounts
> > > (unix machines) with UID/GID of 0:0 
> > >
> > > otherwords
> > >
> > > jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
> > >
> > > The argument is that way you don't hav to give out the root password,
> > > you can just nuke a users UID=0 equiv account when the leave and not
> > > have to change the real root account.
> >
> > This is a really /really/ REALLY bad idea. I had nightmare issues dealing
> > with a network formerly run by a 'sysadmin' who thought every user that 
> > might need to do something as root should have a uidzero account.
>
> That's not the issue, however.
>
> The assumption is that you have several people who really are fully
> qualified admins on the system in question, who really do need full
> privileged access.  The choice John describes is between giving these
> trusted sysadmins the password for "root", or giving them (and them
> alone) a UID 0 account as he describes (except that one would of course 
> use shadow passwords etc.)

Wrong. The choice is between having a single password for the user with id 0,
and having multiple passwords for that same account. This is an abysmally bad
idea, and shame on anybody encouraging it. See 
> To put it in other terms, the choice being presented is between several
> fully authorized sys admins sharing a single password for "root", or for
> each of them to have a unique password, known only to them and shared
> with nobody.  These are the people who would have full privileged access
> on the machine in any circumstance; the only issue is how they get that
> access. 
>
> In my past life working in a classified research facility, the following
> policy was strictly enforced: every sysadmin had a user level account
> and a root-equivalent account, and all normal work was done from the
> user-level account; direct logins to the root-equivalent account were
> disabled, so under normal circumstances the only means of getting uid 0
> access was through a user level login followed by an su to a unique
> account; the password for "root" was locked in a vault, and could only
> be retrieved in an emergency via a signout procedure, after which the
> password was changed and a new one was put in the vault -- in practice
> nobody used the "root" account for any purpose, except in emergencies. 
> In this environment sudo was used heavily, as well -- these
> root-equivalent accounts were only for the sysadmins who had full access
> to the system -- there were other admins who used sudo to handle many 
> routine system management tasks.
>
> This policy was arrived at after a lot of discussion, and it provides
> some significant advantages.  Most importantly, it allowed much better
> management of privileged access: in a large facility systems get added
> and modified frequently, sysadmins change responsibilities, emergencies
> happen; and you can very easily get to a point where it is hard to know
> just who currently has the password to the username "root" account. 
> (Fundamentally, all the arguments agains normal users sharing passwords
> apply with even more force to passwords for privileged accounts.)
>
> Kent

-- 
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui

Attachment: _bin
Description: