see below
On Sun, Sep 22, 2002 at 03:47:56PM -0700, Etaoin Shrdlu wrote: > > "John M. Brown" wrote: > > > > I have question for the security community on NANOG. > > I confess that I think of NANOG as not being a security community, rather > it is a group of north american network operators. That said, you can find > all sorts of info for the somewhat naive question below by a slightly > judicious use of our friend, Google. That said, and since I'm avoiding work > that I SHOULD be doing, I will answer your Important question. > Right, operators sometimes have to deal with the practicl issues of implementing security. Security wonks don't always have to deal with their ideas :) Yes, Google is a fine resource. Having messages from the community to reference is also fine for my purposes :). > > What is your learned opinion of having host accounts > > (unix machines) with UID/GID of 0:0 > > This shows a certain naivet�, and suggests that you have not heard of truly > useful tools such as sudo. If it's UNIX, sudo builds. Why is this a bad > thing? The first number in your password entry implies USER. Not users. > There is simply no way to tell which of many multiples of people might have > made a change in your system, since the UID is the same for all. I can spell soodoo.. have used it for years, and advocate its use. there is a hidden agenda here, can't talk about it. > > otherwords > > > > jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh > > I also truly hope that this was just a quick copy by you, and that you are > not truly discussing a system here that allows the password file to > actually contain the password. Please tell me that your password file is at > least shadowed, and that was just a typo. I think clear text is the only way. makes it easier to remember your passwords :) Ok , that was sarcastic. Sorry.. Um, OTP, Kerb, SSH, Shadow, etc are things I use, as needed, in my networks. > > The argument is that way you don't hav to give out the root password, > > you can just nuke a users UID=0 equiv account when the leave and not > > have to change the real root account. > > I will also supply you with a bit of advice, one that I see even using SSH > over the network to my own machines: > > "Don't login as root, use su" Yes, its amazing the number of people that allow this. People with "cred and respect" in the community..... > > Now, don't flame me over the question, but provide valid pro's or con's > > for this practice from your experience. > > There are no positive aspects to this practice. I suggest that you get the > wonderful red book (now colored purple, last I recall) by Evi Nemeth et al, > and study it thoroughly. I've got Evi's rainbow on my shelf (all editions of this FINE FINE book, Yellow, Red, Purple I beleive, right next to Dragon Book, well dog eared K&R (Pre ANSI, and Post ANSI)) thanks for the comments
