Re: Security Practices question

[Scott Francis <darkuncle () darkuncle net>]

On Wed, Oct 02, 2002 at 04:06:00PM -0400, woods () weird com said:
> [ On Wednesday, October 2, 2002 at 11:47:12 (-0700), Scott Francis wrote: ]
> > Subject: Re: Security Practices question
> >
> > Absolutely so - which is why no account should have multiple equally valid
> > passwords, which is what multiple accounts sharing a uid equates to.
>
> Hold on a minute.  You've taken this entirely out proportion for any
> reasonable real-world scenario!

that last should have been qualified s/no account should/the root account
should not/

> It's _NOT_ that bad.  Not anywhere near.
>
> The only real risk with having multiple superuser (UID == 0) accounts is
> when the system has some form of vulnerability which makes it reasonable
> for an attacker to guess the password.  Now normally on any decently
> modern system the group of potential attackers who could even begin such
> an attack is limited strictly to those who are already members of the
> "wheel" group, and all of those people should already have the real root
> password anyway.

grr. Please read Barb's post about exactly why multiple aliases for the UID 0
account is a Bad Idea. It's not really about opening potential security
vulnerabilities as much as it is about bad (lazy) administration.

> The risks that a wheel-group member will execute a trojan of some sort
> that will help an attacker gain increased privileges are much higher
> than any of the risks directly associated with multiple UID==0 accounts!

Rubbish. There are no risks associated with members of gid 0 that are not
also associated with accounts having UID 0 - and multiple accounts with UID 0
brings in a host of other issues and problems.

> Different UID==0 accounts can have different home directories, and with
> careful implementation of certain tools the benefits of this mechanism
> also vastly outweigh the risks of having multiple UID==0 accounts.

bah. There is _nothing_ one could reasonably hope to accomplish by creating
multiple accounts with UID 0 that could not be accomplished at least as
easily, and vastly more safely, using sudo.

(before anybody uses it as a defense, yes, there are a (very) few systems out
there that sudo will not run on. That's not the debate here.)

> Even just the benefit of being able to appease multiple human superusers
> with the abillity to specify different shells for their superuser
> account can be enough of a benefit to oughtweigh the risks (though of
> course with a small amount of training in the proper use of 'su', there
> really isn't any need to specify different default shells in the first
> place).

su isn't even needed. USE SUDO. I cannot believe that there are so many
otherwise clueful people out there that apparently are unfamiliar with the
fine-grained control and flexibility that this tool gives the admin (multiple
shells, multiple environments, etc. etc. etc.)

> You didn't give one solid example of a real-world threat or
> vulnerability for having multiple superuser (UID == 0) accounts.  Not
> one.  If you're going to say something is so bad that nobody should ever
> do it regardless then you'd better have some damned good solid threat
> analysis and risk assessment to back up your claim!

Trying to avoid yelling here. PLEASE go read Barb's excellent post on EXACTLY
why multiple UID 0 accounts are a problem. She details multiple real risks and
problems associated with this practice. I didn't list them because I thought
it would surely not be too much to ask for those posting to the thread to READ
the thread first, from the beginning. It's not that long.

> The only thing you really said that stands up to analysis is your
> repeated assertion that multiple accounts with the same UID are, from
> the system's perspective, simply multiple ways to authenticate access to
> the same underlying system ID and thus to grant exactly the same
> authorisations.  That is 100% true.  What this really means, especially
> if the UID in question is zero(0), is that ultimately all activities
> that take place on the system are done with that unified UID and so
> there's no way to hold separate human users accountable for their
> actions.  However in the case of UID==0 that's more or less true of 'su'
> even with just one "root" account.  You have to trust superusers 101%,

I never advocated using su. *sigh* Use sudo.

> regardless of how they authenticate to the system.  In turn they, if
> there's more than one of them, must each be held equally responsible for
> any and all damage done by any superuser.  If nobody confesses you can

Yes, there is trust that must be given along with superuser privs. The level
of trust required can be MUCH LOWER using sudo, ACLs, or some other system.
As opposed to just giving $admin or $user a blank check to do whatever they
please. There was an excellent talk on exactly why the UNIX permissions
scheme is archaic and needs to be replaced at ToorCon last weekend
<http://www.toorcon.org>, but this is getting off-topic (even for this
thread).

> point fingers just as easily with 'login' logs as you can with 'su'
> logs, but in the end you cannot prove anything with those logs alone if
> its UID==0 (unless the logging is done securely in such a way that
> UID==0 cannot modify it).  The finger pointing suggested by the logs
> _MUST_ be corroberated with an external verifiable alibi (or hopefully
> multiples!) (which, BTW, is essentially what any secure logging system
> is, and it doesn't matter if 'login' or 'su' generates the audit trail).

USE SUDO. Most people, even those with a legitimate need for superuser
privileges, do not really need the ability to do EVERYTHING on the system as
UID 0. Sure, it takes a bit more effort to setup, but I don't think anybody
could argue that the gains in control, logging, security and
authentication/authorization are not worth it.

> > Use sudo, use ssh keys from a central admin host, use ACLs - use whatever you
> > like, but please don't create multiple aliases for an account and think it's
> > anything but an invitation to disaster.
>
> Sudo is a far worse solution, with a far higher false sense of security,
> than multiple UID==0 accounts, unless maybe you're using it purely and
> only for convenience and documentation purposes amongst a group of
> mutually trusting users who already each know the "real" root password
> anyway.

Can you back up that statement in /any/ way? What exactly are your reasons
why sudo is a worse solution (or even a bad idea)?
-- 
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui

Attachment: _bin
Description: