[814] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Admin note (recent traffic surge).

daemon@ATHENA.MIT.EDU (JaDe)
Mon Jun 17 09:57:41 1996

From: jadestar@netcom.com (JaDe)
To: woody@altair.stmarys-ca.edu (Woody Weaver)
Date: Fri, 14 Jun 1996 16:00:53 -0700 (PDT)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <m0uTbSu-0005KYC@altair.stmarys-ca.edu> from "Woody Weaver" at Jun 11, 96 02:59:00 pm

> I have one question about uid 0 accounts.  Of course one wants to give
> minimum permissions to accounts, and the more uid 0 passwords floating
> around the more risks one takes.  Generally, the "all the eggs in one
> basket and watch that basket very closely" is a good idea.  However,
> as one author noted, if you permit a novice to su and do work, there
> is a possibility that they might do something that prevents normal use
> of the system, such as accidentally changing the root password.
> 

	I recommend two root accounts (root and 'toor' or 'ruut' or
	whatever).  The one root account is "normal" and used by 
	all who need root access.  The other gets a random string
	as a password -- this is hand written onto paper after being
	generated and the paper is sealed in a "security" envelope
	and locked in a safe (i.e. forget about it until "normal"
	root's account is dead).

	For the other one I suggest that only *one* person
	(the primary admin) has the real password.

	Everyone else that needs root access uses 'sudo su -'
	(they use *their own* password to become root).
	Wherever possible these other administrators actually
	aren't even allowed a direct root shell -- they 
	execute sudo scripts that just provide them access to 
	the commands that they really need (add.a.user, 
	change.a.passwd, edit.aliases, etc).

	The advantages to this approach are in accountability.
	Each use of any root shell or script by any of the admins
	is logged (preferably to a remote, more secure machine).

	By having sudo in place -- and by examining the logs of 
	usage (all su shell sessions should be running 'script')
	you can incrementally tighten up the security (by 
	identifying what your admin team is *really doing* as root
	and scripting each part of it as possible).

	The sad reality of administering a multi-user Unix host
	(as opposed to a workstation, or a server) is that there are
	too many administrative tasks with require root access
	for which is *should* be possible to delegate to trusted
	admins. (This happens to a lesser degree in Netware and 
	to an even greater degree in NT and probably in varying 
	degrees in other systems).
	
	'sudo' is no panacea (any scripts you write are subject
	to the same potential bugs as an SUID script) the
	main advantages are that you limit who uses the script
	(without a *shared* password), and you get logging
	for free.  

	I've set up certain "psuedo accounts" (like the 'mlist'
	"Mail List Manager" and 'postgres' "Postgres DB Admin")
	with a '*' password and configured the system to only 
	allow 'sudo su - ... ' to access those accounts.  I've
	even considered making the 'root' password '*' and
	using the same technique (been to busy/timid to try that 
	yet).

	Does anyone know of potential problems with this approach?

	Does anyone on this list have suggestions or caveats for
	those of us that are still learning 'sudo'?

	Can anyone offer us some reasonable alternatives for 
	delegating/distributing *limited* administrative 
	functions?


home help back first fref pref prev next nref lref last post