[52258] in North American Network Operators' Group
Re: Security Practices question
daemon@ATHENA.MIT.EDU (Ryan Fox)
Sun Sep 22 19:35:06 2002
From: Ryan Fox <rfox@amerisuk.com>
To: nanog@merit.edu
In-Reply-To: <20020922152211.G86955@oso.greenflash.net>
Date: 22 Sep 2002 19:41:13 -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, 2002-09-22 at 18:22, John M. Brown wrote:
>
> What is your learned opinion of having host accounts
> (unix machines) with UID/GID of 0:0
>
> jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
The biggest argument I have against creating accounts with uid 0, is
that even as an admin, I appriciate not always having admin privs.
I know I'm not perfect. I like running most commands as a
non-privileged user, where a bad typo won't cause as much damage. :)
A way of getting around this, I suppose, would be to create 2 accounts
per admin user. A normal unprivileged account, and a superuser
account. This gets all of the accountability of having separate
superuser accounts, without some of the bad things. Depending on the
size of your network, and the tools you use, this may increase the user
management work considerably.
Just some thoughts off the top of my head.
Cheers,
Ryan
