On 07/30/10 02:05 PM, David Brodbeck wrote:
On Jul 30, 2010, at 1:33 PM, Kyle McDonald wrote:
I actually like root as a role, but it strikes me that by forcing
all machines to have a single local user with a pw that everyone
knows, you've totally re-opened the hole that this was supposed to
close. Anyone can login as that local user, and assume the root
role anonymously.
It's essentially a "security through obscurity" measure. There's
still an account with effective access to root privileges, but it's
not *called* root, so it's slightly harder to target. Sort of like
renaming the "Administrator" account on Windows.
No, that's not correct. I agree that you should have a local account
that can assume the root role so that you can fix things if something
happens to your LDAP server, network, etc. But that doesn't mean that
everyone, or even all the users who can assume the root role, need to
know the password of the local account.
For example, suppose you have a collection of systems using an LDAP
server with lots of regular user accounts plus a handful of accounts for
individual administrators, each of whom is able to assume the root role.
I would make sure each system also has a local account that can assume
the root role with a password known to a subset (or maybe just one) of
those administrators. You want the local account so you can respond to
emergencies, but emergencies should be rare so you don't necessarily
need every administrator to have that access.
Furthermore, as a matter of policy, administrators should use their
regular LDAP accounts to access the root role except in those emergency
situations when LDAP is not available. Remember, accountability is the
reason for making root a role, so we can see when the local account has
been used and follow up with the administrators accordingly.
On the other hand, there are some accountability advantages if you
enforce the use of a tool that does logging, like "sudo". If
everyone has their own account and they have to use "sudo" to
exercise rootly powers, then you have a useful record of who did
what. If someone just logs in as root you really don't know which of
the people who had the root password did it. The tradeoff is each
account with sudo privileges becomes a potential attack surface, so
you need to make sure your admins are picking good passwords.
The accountability advantage is exactly the same with the root role. You
have to assume the root role from a regular user account, so you know
who it was. In fact, the individual audit events recorded while running
in the root role include the real user attribution so you don't have to
go back through the audit trail to figure out who assumed the role
sometime prior to the event you're trying to examine.
Regarding the expansion of the attack surface, remember that assuming
the root role requires logging in to a user account first and then
providing the root password. Even if the user accounts have weak (or
non-existent) passwords, the situation is no worse than it was with a
single root user account.
Scott
--
Scott Rotondo
Senior Principal Engineer, Solaris Core OS Engineering
President, Trusted Computing Group
Phone: +1 650 786 6309 (Internal x86309)
_______________________________________________
opensolaris-discuss mailing list
[email protected]
