Really, really, really off topic, but (was Re: Security Practices question)
Etaoin Shrdlu
shrdlu at deaddrop.org
Sun Sep 22 22:47:56 UTC 2002
"John M. Brown" wrote:
>
> I have question for the security community on NANOG.
I confess that I think of NANOG as not being a security community, rather
it is a group of north american network operators. That said, you can find
all sorts of info for the somewhat naive question below by a slightly
judicious use of our friend, Google. That said, and since I'm avoiding work
that I SHOULD be doing, I will answer your Important question.
> What is your learned opinion of having host accounts
> (unix machines) with UID/GID of 0:0
This shows a certain naiveté, and suggests that you have not heard of truly
useful tools such as sudo. If it's UNIX, sudo builds. Why is this a bad
thing? The first number in your password entry implies USER. Not users.
There is simply no way to tell which of many multiples of people might have
made a change in your system, since the UID is the same for all.
> otherwords
>
> jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
I also truly hope that this was just a quick copy by you, and that you are
not truly discussing a system here that allows the password file to
actually contain the password. Please tell me that your password file is at
least shadowed, and that was just a typo.
> The argument is that way you don't hav to give out the root password,
> you can just nuke a users UID=0 equiv account when the leave and not
> have to change the real root account.
I will also supply you with a bit of advice, one that I see even using SSH
over the network to my own machines:
"Don't login as root, use su"
> Now, don't flame me over the question, but provide valid pro's or con's
> for this practice from your experience.
There are no positive aspects to this practice. I suggest that you get the
wonderful red book (now colored purple, last I recall) by Evi Nemeth et al,
and study it thoroughly.
I now return you to the discussion on (wireless and other) security, how
much is too much, and so on.
--
...some sort of steganographic chaffing and winnowing scheme
already exists in practice right here: I frequently find myself
having to sort through large numbers of idiotic posts to find
the good ones. -- Rufus Faloofus
More information about the NANOG
mailing list