Security Practices question

Barb Dijker barb at netrack.net
Thu Oct 3 01:44:24 UTC 2002


At 05:48 PM 10/2/02 -0700, just me wrote:
>In an environment where every sysadmin is interchangable, and any one
>of them can be woken up at 3am to fix the random problem of the day,
>you tell me how to manage 'sudoers' on 4000 machines.

Sudo provides for one master sudoers file that you can copy verbatim to any 
number of machines.  The syntax allows for entries to apply to all 
machines, groups of machines, or a single machine.  If your sysadmins are 
really interchangeable, you don't even need that syntax.  Your sudoers file 
is a simple ALL=ALL for all sysadmins on all machines.  If you really have 
4000 machines, sudoers is not the only file that is common and needs to be 
distributed among them.

>In an situation where the team needs root; all per-admin UID 0
>accounts add is accountability and personalized shells/environments.

All UID=0 accounts are one and the same.  There is NO accountability 
whatsoever different than everyone logging in as root...

   - if allow login across the net via ssh or telnet to uid=0 (shame on 
you, btw), the identity of the user on the other end of the session is not 
logged - could be anyone.  wtmp might log the unique username instead of 
"root", but it might not depending on the OS.

   - if you su, the identity of the user who did the su is logged, so you 
don't need a separate identity for the account to which they su - may as 
well just su root.

Once someone is uid=0, via login or su, there is no accountability 
whatsoever to tie actions to a person.  Sudo gives you that in the sudo log.

In unix, accountability is tied to an account.  A unix account is one that 
has a unique UID.  All accounting is unix is by UID, not name.  Usernames 
are translated at the time of interpretation from UID.  The only time that 
is not true (poorly written application code not withstanding) is during 
the login/su sequence as a convenience to the user, so they don't have to 
know their UID.  The only remnant of the username after login/su is in the 
environment variables of the shell... which can be changed by the user!!!!!

Please refer to my post on this subject dated 9/23.

...Barb




More information about the NANOG mailing list