Use of Root

Jon Masters jonathan at jonmasters.org
Mon Jan 31 18:21:59 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Kramer wrote:

| On Mon, 31 Jan 2005, Jerry Feldman wrote:
|
|>Going back to my war story, the IT people's argument was that it would be
|>easier for me to undermine their network

One problem I have working in such environments, is the inevitable type
of person who tends to be the one weilding root - including corporate
types honestly believing all the rubbish they're fed in M$ and non-M$
whitepapers on computer security.

|>and that I could change the root password

But you'd be larted. The only real problem is lack of audit trail
(that's really the only problem in most cases) and that can be fixed by
using something like sudo, but see the caveat mentioned below. I prefer
allowing people to do their job with as few restrictions as necessary.

| ... All of which could have been handled by sudo.  With sudo, you can
give
| mortals the power to run certain commands as root without the root
| password. Best of both worlds.  I know JABR is big on sudo.

...and dangers of both. With sudo, it's very easy to overlook paths a
user can take to get at a shell (e.g. if you allow them to edit a file
but don't take in to account the fact that $EDITOR might allow them to
open a command shell). It's also easy to ignore this fact and think that
sudo will solve everything - so in that sense using sudo introduces an
extra - somewhat hidden - danger of general complacency.

| Since I am both Sysadmin and Power User at home, what I do is I have a
| separate login window on a separate vitrual window for root, and it has a
| red tinted background.  I consider this acceptable risk because I do
| regular backups, though.

We had one colo box where root was disabled, everything went via sudo
and it tried to stop people doing stuff like "sudo su". It becomes
completely unworkable and you end up pointing out that, while sudo works
great in almost all cases, sometimes you do need a root shell :-).

Jon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB/r2XeTyyexZHHxERAhycAJ9VyIAWdn55uly663f+w7miIRuPOQCgiStD
71R3F2iegq8z3wPa5IvB6OQ=
=nPoz
-----END PGP SIGNATURE-----



More information about the Discuss mailing list