Re: username administration questions.

someone_4 · ‎11-28-2001

hey everyone.
This post is regarding other posts that I have read regarding usernames and passwords.Right now everyone logs on as root.I have read where alot of you reccommend that everyone has their own username and password and that the user root is not to be used. My questions are:
1.If everyone has their own username and password do they have to have a userid of 0? Because if so does this not defye the whole purpose?
2.What about apps that can only be started as root? What is the best way to get around this ? Maybe with the su command?
3.I can see why this would be a good thing to move toward can anyone give me more expamles of why I should push this?
4. what about splitting the usernames per group? support, devel, and so on..
Any other information or comments would be helpfull.

Thanks
Richard

A. Clay Stephenson · ‎11-28-2001

No Richard:

You have missed the point. Creating a user with a uid of 0 makes the user super-user not the name 'root'. Here is the bottom line: Novice admins constantly login as root and remain logged in as root (or as a uid 0 - same thing).I suppose they like the feeling of power.

Experienced admins recognize that they are their own worst enemies and seldom login as root and only when necessary. They typically su - root from their own non-privileged accounts; do whatever task needed doing; and then immediately 'exit' to revert to their normal status.

Food for thought, Clay

If it ain't broke, I can fix that.

harry d brown jr · ‎11-28-2001

1.Why not make everyone login using their own username/passwd, and when they need to use root, make them su up to root, that way you can track who uses root?

2. Apps, that need to be root, can be started using the above method (1), or you can do a setuid on the executable.

3. If you have everyone using root, and then someone does a "rm -rf /*", how would you know who did it?

4. Normal support people usually do not ever need root, and when they do, "SCRIPT" it for them (keep them out of root).

Developers should only have su to root on development machines!!!!

Only SA (System admins) should have root password.

Operators should have their own login, but everything they do (backups, etc) should be SCRIPTED - MENU DRIVEN - no shell access!!!

live free or die
harry

Live Free or Die

Craig Rants · ‎11-28-2001

My take is that no one should login as root, but you should login as your own user. If you need root then you can have the password and su, if you don't need to do a lot of work as root then get sudo. Apps that need to be started as root should be put into /sbin/init.d anyway, and grouping is for groups.

I would push this for accountability reasons, to protect your company and the employees. Security experts say that 80% of your threats are possed by the trusted insider. If you allow users to login under the same account and something happens in that account, then you will have to cast suspicion on 99% of the innocent and 1% of the guilty. People don't responsd well to false accusations. Also, after a person leaves your company, they are still tied to the userid instead of their own.

Just my take,
C

"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut

Marco Paganini · ‎11-28-2001

Hello Richard...

Let's go...

<>

That's an *axiom* in Unix. Only the sysadm should have the root password. Everyone else should have their own account. Have your sysadmin manage the root account and keep the password stored in a locked envelope somewhere (in case you forget or is not available to solve an urgent problem).

<<1.If everyone has their own username and password do they have to have a userid of 0? Because if so does this not defye the whole purpose?>>

Exactly! Nobody should have uid=0, only root itself!

<<2.What about apps that can only be started as root? What is the best way to get around this ? Maybe with the su command?>>

Your regular users shouldn't need to start applications that require root privileges. If that's the case, you may have a problem. You need to properly setup the file/dir permissions (I know that in many cases, developers have the root password and build their systems in a way that requires root privileges). If you have a few systems that really need root privileges, consider "sudo" (a wrapper that allows certain users to execute certain commands with root privileges).

<<3.I can see why this would be a good thing to move toward can anyone give me more expamles of why I should push this?>>

That's the most basic thing in Unix. root is root. Nobody else but the sysadmin should be root. If your manager says it's a bad idea to have only one root, remind him that his boss will come and get him when someone removes all data on your hard drives (anybody can do it with root privileges).

<<4. what about splitting the usernames per group? support, devel, and so on..
Any other information or comments would be helpfull.>>

That's a very good idea. Have a 'users' group with everybody and supplemental groups as 'devel', 'support', etc. That will allow you finer control over who can do what.

Hope it helps,
Paga

Keeping alive, until I die.

Bernie Vande Griend · ‎11-28-2001

Yes, you definitely do not want usernames besides root with IDs of 0. The 0 ID determines "root", not the username of "root". By doing that you actually make the system less secure by opening multiple paths to superuser.

The idea is to force users to log in as their own ID and then su - to become root only if they need it. This will help prevent some accidents and also help in logging who has used root. At the same time you can use things like restricted SAM, sudo, or Symark's PowerBroker to delegate root tasks directly to non-root user IDs and you will also achieve logging of who is doing what with root access. The idea is to restrict the use of the "root" account unless absolutely necessary so that you can better track what is being done, who is doing it, and therefore prevent mistakes and abuse. Only a few should be using the "root" account.

Ye who thinks he has a lot to say, probably shouldn't.

Michael Tully · ‎11-28-2001

Hi Richard,

First off nobody should have a uid of '0'
other than the root account. Junior SA's
have a very bad habit of abusing the power
that comes with the root account. Since I
started at this position at has been an
up hill battle to make sure that the
correct way is done.
Use your own account, if you need to use
the power of 'root' use 'sudo -command' and
then each instance is logged. The password
for root can then be locked in the safe.
Apps that should started as root should be
done so using su -
Having everyone access uid 0 is a recipe
for a time-bomb waiting to go off.
I would not get a developer any type of
super anything access. They can't even
clean home directories without having 48
copies of every piece of code and still
refuse to use sccs or rcs. As far as
operators are concerned, if they have earnt
their own bananas they can have menu access
and that's it. one further thing.... DBA's are just as worse, disable the oracle or informix account, so that everything is su - oracle or they two can use sudo.

My 2 cents worth

-Michael

Anyone for a Mutiny ?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: username administration questions.

username administration questions.