nanog mailing list archives

Really, really, really off topic, but (was Re: Security Practices question)

From: Etaoin Shrdlu <shrdlu () deaddrop org>
Date: Sun, 22 Sep 2002 15:47:56 -0700


"John M. Brown" wrote:


I have question for the security community on NANOG.


I confess that I think of NANOG as not being a security community, rather
it is a group of north american network operators. That said, you can find
all sorts of info for the somewhat naive question below by a slightly
judicious use of our friend, Google. That said, and since I'm avoiding work
that I SHOULD be doing, I will answer your Important question.

What is your learned opinion of having host accounts
(unix machines) with UID/GID of 0:0


This shows a certain naiveté, and suggests that you have not heard of truly
useful tools such as sudo. If it's UNIX, sudo builds. Why is this a bad
thing? The first number in your password entry implies USER. Not users.
There is simply no way to tell which of many multiples of people might have
made a change in your system, since the UID is the same for all.

otherwords

jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh


I also truly hope that this was just a quick copy by you, and that you are
not truly discussing a system here that allows the password file to
actually contain the password. Please tell me that your password file is at
least shadowed, and that was just a typo.

The argument is that way you don't hav to give out the root password,
you can just nuke a users UID=0 equiv account when the leave and not
have to change the real root account.


I will also supply you with a bit of advice, one that I see even using SSH
over the network to my own machines:

"Don't login as root, use su"

Now, don't flame me over the question, but provide valid pro's or con's
for this practice from your experience.


There are no positive aspects to this practice. I suggest that you get the
wonderful red book (now colored purple, last I recall) by Evi Nemeth et al,
and study it thoroughly.

I now return you to the discussion on (wireless and other) security, how
much is too much, and so on.

--
...some sort of steganographic chaffing and winnowing scheme
already exists in practice right here: I frequently find myself
having to sort through large numbers of idiotic posts to find
the good ones.   -- Rufus Faloofus

Current thread:

Security Practices question John M. Brown (Sep 22)
- Re: Security Practices question Bradley Dunn (Sep 22)
- Really, really, really off topic, but (was Re: Security Practices question) Etaoin Shrdlu (Sep 22)
  - Re: Really, really, really off topic, but (was Re: Security Practices question) John M. Brown (Sep 22)
- Re: Security Practices question Allan Liska (Sep 22)
- Re: Security Practices question Ryan Fox (Sep 22)
  - Re: Security Practices question D'Arcy J.M. Cain (Sep 23)
- Re: Security Practices question E.B. Dreger (Sep 22)
- Re: Security Practices question Barb Dijker (Sep 23)
- Re: Security Practices question Scott Francis (Sep 23)