[52299] in North American Network Operators' Group
Re: Security Practices question
daemon@ATHENA.MIT.EDU (Scott Francis)
Mon Sep 23 17:48:24 2002
Date: Mon, 23 Sep 2002 14:44:34 -0700
From: Scott Francis <darkuncle@darkuncle.net>
To: "John M. Brown" <john@chagresventures.com>
Cc: nanog@merit.edu
Mail-Followup-To: Scott Francis <darkuncle@darkuncle.net>,
"John M. Brown" <john@chagresventures.com>, nanog@merit.edu
In-Reply-To: <20020922152211.G86955@oso.greenflash.net>
Errors-To: owner-nanog-outgoing@merit.edu
--VOAkKSXG6MhRWuAn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Sep 22, 2002 at 03:22:11PM -0700, john@chagresventures.com said:
>=20
> I have question for the security community on NANOG.
>=20
> What is your learned opinion of having host accounts
> (unix machines) with UID/GID of 0:0=20
>=20
> otherwords
>=20
>=20
> jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
>=20
>=20
> The argument is that way you don't hav to give out the root password,
> you can just nuke a users UID=3D0 equiv account when the leave and not
> have to change the real root account.
This is a really /really/ REALLY bad idea. I had nightmare issues dealing
with a network formerly run by a 'sysadmin' who thought every user that mig=
ht
need to do something as root should have a uidzero account. I seriously
cannot think of ANY scenario, no matter how improbable, in which what you're
suggesting would be a good idea (or even defensible).
> Now, don't flame me over the question, but provide valid pro's or con's
> for this practice from your experience.
Names on accounts are strictly an abstraction to make interacting with the
system easier for us dumb humans. In reality, there is only one UID 0, no
matter how many copies of it you make. This means there is NO difference
between giving out the root password to everybody, and giving everybody UID=
0
accounts. None. As far as the system is concerned, the two are one and the
same.
> thank you.
>=20
> the reason I'm asking is important.
Even were it not, I'd still urge you - please do not consider this a valid
option.
> john brown
--=20
-=3D Scott Francis || darkuncle (at) darkuncle (dot) net =3D-
GPG key CB33CCA7 has been revoked; I am now 5537F527
illum oportet crescere me autem minui
--VOAkKSXG6MhRWuAn
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9j4tCWaB7jFU39ScRAgY2AKDNyVOHt55dVJFBEAvoYnuMwP040ACdF7CV
cIYkvUy+ig1G2tBDY7ZIick=
=W/z2
-----END PGP SIGNATURE-----
--VOAkKSXG6MhRWuAn--
