[52497] in North American Network Operators' Group
Re: Security Practices question
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Oct 3 12:28:07 2002
To: nanog@merit.edu
In-Reply-To: Your message of "Wed, 02 Oct 2002 17:48:16 PDT."
<Pine.GSO.4.33L0.0210021745300.23094-100000@pants.snark.net>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 03 Oct 2002 12:27:30 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_274278118P
Content-Type: text/plain; charset=us-ascii
On Wed, 02 Oct 2002 17:48:16 PDT, just me said:
> In an situation where the team needs root; all per-admin UID 0
> accounts add is accountability and personalized shells/environments.
Accountability is always good, but you can do even better with sudo (Sorry,
I couldn't resist).
As far as personalized shells/environments go, I've found that this helps
a lot:
export ENV=~/.kshrc (for ksh-based systems)
export BASH_ENV=~/.bashrc (for bash-based boxes)
su -m (or whatever "save the environment" parameter your su has)
and voila, you have your preferred environment.
Bottom line - per-admin UID 0 doesn't give you anything you couldn't get
via other means.
(And please, no flames about using su rather than sudo, or the wisdom of
using su and preserving the environment - I've already done the analysis
and decided it's correct *for the machines in question*.)
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--==_Exmh_274278118P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE9nG/xcC3lWbTT17ARAmviAKCK0zhlXiec8ySUrkcD2JNcoxkLCQCg93kc
Q9ZmJ4GV7h01JigSPN1BA48=
=fW5e
-----END PGP SIGNATURE-----
--==_Exmh_274278118P--
