[52250] in North American Network Operators' Group
Re: Security Practices question
daemon@ATHENA.MIT.EDU (Bradley Dunn)
Sun Sep 22 18:39:33 2002
Date: Sun, 22 Sep 2002 15:38:57 -0700 (PDT)
From: Bradley Dunn <bradley@dunn.org>
To: "John M. Brown" <john@chagresventures.com>
Cc: "nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <20020922152211.G86955@oso.greenflash.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, 22 Sep 2002, John M. Brown wrote:
> What is your learned opinion of having host accounts
> (unix machines) with UID/GID of 0:0
>
> otherwords
>
>
> jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
>
>
> The argument is that way you don't hav to give out the root password,
> you can just nuke a users UID=0 equiv account when the leave and not
> have to change the real root account.
You'd need a tamper-proof host-based IDS monitoring every file to ensure the
user doesn't install any trojans or backdoors. I assume you don't want to
re-install the OS from trusted media every time you rmuser.
Using something like sudo would be a much better idea.
Bradley