user with root priviledge
Keven Ring
keven at mitre.org
Mon Apr 19 17:18:11 UTC 2004
Jeff Vian wrote:
>
>
> Björn Persson wrote:
>
>>>> Our Windows solution is to create two administrator-capable
>>>> accounts. How
>>>> can we best do the same with Linux machines?
>>>
>>>
>>
>> I may be wrong but I think it's possible to have several user names
>> with user ID 0.
>>
>> Keven Ring wrote:
>>
>>> Third, too many "system administrators" [read: ROOT USERS] are
>>> likely to cause more headaches than it is worth.
>>
>>
>>
>> If more than one person needs root access, and a few selected
>> commands through sudo isn't enough, then surely it's better to have
>> multiple root accounts that to share a password.
>>
>> Björn Persson
>>
> I disagree!
I agree with you, however, I must make some points [if at least to throw
some humor into the situation]....
>
> Here is a situation where this does not make sense, and the use of
> sudo does make sense
>
> 1. Multiple users with root authority.
> john, bill, and sam
>
> one of these 3 happens to get mad/upset/frustrated/careless
> This user (lets say john) logs in and runs some commands that are very
> destructive to the system
> (have you ever heard of "rm -rf /" being run????)
> All three users actions are recorded as being done by root, thus no
> way to track who did what or when.
> The analysis of the problem shows that "root" did some
> dumb/careless/harmfull things to the system.
>
> Who is responsible????? Answer: one of the above
*IF* one performs an "su -" from the prompt, there is a log of who
logged in as root [will be one of john, bill, or sam]. *IF* one
remotely logs in as root, then where they came from is logged [and by
looking at who was logged on, could inform you which of john, bill, or
same performed the dirty work].
OTOH, if rm -rf / is executed, as root, this will wipe the hard drive,
including logs.....
[Note, I have performed this on a running system *on purpose* [it was
going to be re-imaged anyway]].
Note, also, that NFS mounts and such often require root password
priviledges. So, if john, bill, and sam all know root password, then
you are setting yourself up for some bad situations.
No one is saying you can't have multiple root users. I believe most of
us are saying that it is not considered a best practice to have multiple
root users of a single system, and that if there are cases where you
feel that you need multiple root users, there are almost certainly
options available to you that significantly reduce the amount of power
that such a user has.
More information about the users
mailing list