user with root priviledge
jvian10 at charter.net
Tue Apr 20 01:13:04 UTC 2004
Keven Ring wrote:
> Jeff Vian wrote:
>> Björn Persson wrote:
>>>>> Our Windows solution is to create two administrator-capable
>>>>> accounts. How
>>>>> can we best do the same with Linux machines?
>>> I may be wrong but I think it's possible to have several user names
>>> with user ID 0.
>>> Keven Ring wrote:
>>>> Third, too many "system administrators" [read: ROOT USERS] are
>>>> likely to cause more headaches than it is worth.
>>> If more than one person needs root access, and a few selected
>>> commands through sudo isn't enough, then surely it's better to have
>>> multiple root accounts that to share a password.
>>> Björn Persson
>> I disagree!
> I agree with you, however, I must make some points [if at least to
> throw some humor into the situation]....
>> Here is a situation where this does not make sense, and the use of
>> sudo does make sense
>> 1. Multiple users with root authority.
>> john, bill, and sam
>> one of these 3 happens to get mad/upset/frustrated/careless
>> This user (lets say john) logs in and runs some commands that are
>> very destructive to the system
>> (have you ever heard of "rm -rf /" being run????)
>> All three users actions are recorded as being done by root, thus no
>> way to track who did what or when.
>> The analysis of the problem shows that "root" did some
>> dumb/careless/harmfull things to the system.
>> Who is responsible????? Answer: one of the above
> *IF* one performs an "su -" from the prompt, there is a log of who
> logged in as root [will be one of john, bill, or sam]. *IF* one
> remotely logs in as root, then where they came from is logged [and by
> looking at who was logged on, could inform you which of john, bill, or
> same performed the dirty work].
No. The only action logged would be the actual login.
> OTOH, if rm -rf / is executed, as root, this will wipe the hard drive,
> including logs.....
> [Note, I have performed this on a running system *on purpose* [it was
> going to be re-imaged anyway]].
I used that command as an example because it is really the single most
dangerous command that can inadvertently be done as root, and a single
keystroke can cause it.
I once tried to do "rm -rf /archive" to clean out an old partition.
What I inadvertently typed was "rm -rf / archive". :-(
Luckily I did that on my home computer and not at work, _and_ I had a
backup available. ;-)
> Note, also, that NFS mounts and such often require root password
> priviledges. So, if john, bill, and sam all know root password, then
> you are setting yourself up for some bad situations.
sudo can be used to mount as well, and automounting works too.
> No one is saying you can't have multiple root users. I believe most
> of us are saying that it is not considered a best practice to have
> multiple root users of a single system, and that if there are cases
> where you feel that you need multiple root users, there are almost
> certainly options available to you that significantly reduce the
> amount of power that such a user has.
That was my point and my original reply was directed toward the OP and
those who seem to feel his request was a good idea.
More information about the users