[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] AdmR & AdmQ Users

Subject: Re: [cobalt-users] AdmR & AdmQ Users
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
Date: Wed Mar 5 19:56:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

MLA> Date: Wed, 5 Mar 2003 20:33:42 -0700 (MST)
MLA> From: Mailing List Account


MLA> Excuse me... multiple root-level users are not uncommon on
MLA> Unix or on legacy systems. FreeBSD, for example, ships with
MLA> a user toor (root backwards). The account is disabled by
MLA> default and is of no use unless the admin sets it's
MLA> password. Such an account can be used to recover a system
MLA> on which root is broken in some way or perhaps in the event

True... although, IMHO, it's much better to have root next to
unbreakable.  I build systems with everything needed to login
(statically-linked SSH and shells, configs, et cetera) on the
root partition.  Many others do the same.

If one's root partition is toasted, one has bigger problems than
lack of root login. :-)  Conversely, there are situations where a
non-root partition is scrambled, yet a root login comes in handy.

IOW, one can login and switch to root unless the system is
seriously scrambled or the root password is lost.  In that case,
as you mentioned, a back door is handy.


MLA> the root password is lost it can be used to recover the
MLA> system without dropping into the single user mode and

Yup.


MLA> thereby experiencing down-time. Most knowledgeable security
MLA> professionals leave the choice of removing the toor account
MLA> to the boxes' owner. It's most certainly not an exploit
MLA> waiting for a place to happen. IBM's OS/400 contains similar

No, it certainly isn't.  The danger of multiple root-level
accounts is lack of central control.  If one truly needs a way
for multiple people to have uid 0 access, one needs a way to
track same... and multiple accounts means more tracking.  A
better way is to use something like 'ksu' or 'sudo'.

Uid 0 events should be logged to an external, central bastion
box.  I've heard of the truly paranoid logging certain events to
a line printer.  Of course, this probably is a tad off-topic. ;-)


MLA> Sweeping generalities...

This is true.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.

References:
- Re: [cobalt-users] AdmR & AdmQ Users
  - From: Mailing List Account

Prev by Date: Re: [cobalt-users] CGI Wrap error
Next by Date: Re: [cobalt-users] DNS issues - Moving A Site to another server
Previous by thread: Re: [cobalt-users] AdmR & AdmQ Users
Next by thread: [cobalt-users] AdmR & AdmQ Users

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index