[52457] in North American Network Operators' Group
Re: Security Practices question
daemon@ATHENA.MIT.EDU (Scott Francis)
Wed Oct 2 14:37:02 2002
Date: Wed, 2 Oct 2002 11:34:38 -0700
From: Scott Francis <darkuncle@darkuncle.net>
To: kent@songbird.com
Cc: nanog@merit.edu
Mail-Followup-To: Scott Francis <darkuncle@darkuncle.net>,
kent@songbird.com, nanog@merit.edu
In-Reply-To: <20021001144341.A22148@songbird.com>
Errors-To: owner-nanog-outgoing@merit.edu
--dFWYt1i2NyOo1oI9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Oct 01, 2002 at 02:43:41PM -0700, kent@songbird.com said:
[snip]
> > > I have question for the security community on NANOG.
> > >=20
> > > What is your learned opinion of having host accounts
> > > (unix machines) with UID/GID of 0:0=20
> > >=20
> > > otherwords
> > >=20
> > > jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
> > >=20
> > > The argument is that way you don't hav to give out the root password,
> > > you can just nuke a users UID=3D0 equiv account when the leave and not
> > > have to change the real root account.
> >=20
> > This is a really /really/ REALLY bad idea. I had nightmare issues deali=
ng
> > with a network formerly run by a 'sysadmin' who thought every user that=
=20
> > might need to do something as root should have a uidzero account.
>=20
> That's not the issue, however.
>=20
> The assumption is that you have several people who really are fully
> qualified admins on the system in question, who really do need full
> privileged access. The choice John describes is between giving these
> trusted sysadmins the password for "root", or giving them (and them
> alone) a UID 0 account as he describes (except that one would of course=
=20
> use shadow passwords etc.)
Wrong. The choice is between having a single password for the user with id =
0,
and having multiple passwords for that same account. This is an abysmally b=
ad
idea, and shame on anybody encouraging it. See=20
>=20
> To put it in other terms, the choice being presented is between several
> fully authorized sys admins sharing a single password for "root", or for
> each of them to have a unique password, known only to them and shared
> with nobody. These are the people who would have full privileged access
> on the machine in any circumstance; the only issue is how they get that
> access.=20
>=20
> In my past life working in a classified research facility, the following
> policy was strictly enforced: every sysadmin had a user level account
> and a root-equivalent account, and all normal work was done from the
> user-level account; direct logins to the root-equivalent account were
> disabled, so under normal circumstances the only means of getting uid 0
> access was through a user level login followed by an su to a unique
> account; the password for "root" was locked in a vault, and could only
> be retrieved in an emergency via a signout procedure, after which the
> password was changed and a new one was put in the vault -- in practice
> nobody used the "root" account for any purpose, except in emergencies.=20
> In this environment sudo was used heavily, as well -- these
> root-equivalent accounts were only for the sysadmins who had full access
> to the system -- there were other admins who used sudo to handle many=20
> routine system management tasks.
>=20
> This policy was arrived at after a lot of discussion, and it provides
> some significant advantages. Most importantly, it allowed much better
> management of privileged access: in a large facility systems get added
> and modified frequently, sysadmins change responsibilities, emergencies
> happen; and you can very easily get to a point where it is hard to know
> just who currently has the password to the username "root" account.=20
> (Fundamentally, all the arguments agains normal users sharing passwords
> apply with even more force to passwords for privileged accounts.)
>=20
> Kent
--=20
-=3D Scott Francis || darkuncle (at) darkuncle (dot) net =3D-
GPG key CB33CCA7 has been revoked; I am now 5537F527
illum oportet crescere me autem minui
--dFWYt1i2NyOo1oI9
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9mzw+WaB7jFU39ScRAhhyAKCZxL7fc29MeqWeWmUsAGTFAk0NwgCeNzw+
+blYOgXtA8Wm+iO09e3+pwI=
=OCDZ
-----END PGP SIGNATURE-----
--dFWYt1i2NyOo1oI9--
