Really, really, really off topic, but (was Re: Security Practices question)
John M. Brown
john at chagresventures.com
Sun Sep 22 23:04:03 UTC 2002
see below
On Sun, Sep 22, 2002 at 03:47:56PM -0700, Etaoin Shrdlu wrote:
>
> "John M. Brown" wrote:
> >
> > I have question for the security community on NANOG.
>
> I confess that I think of NANOG as not being a security community, rather
> it is a group of north american network operators. That said, you can find
> all sorts of info for the somewhat naive question below by a slightly
> judicious use of our friend, Google. That said, and since I'm avoiding work
> that I SHOULD be doing, I will answer your Important question.
>
Right, operators sometimes have to deal with the practicl issues of implementing
security. Security wonks don't always have to deal with their ideas :)
Yes, Google is a fine resource. Having messages from the community to
reference is also fine for my purposes :).
> > What is your learned opinion of having host accounts
> > (unix machines) with UID/GID of 0:0
>
> This shows a certain naiveté, and suggests that you have not heard of truly
> useful tools such as sudo. If it's UNIX, sudo builds. Why is this a bad
> thing? The first number in your password entry implies USER. Not users.
> There is simply no way to tell which of many multiples of people might have
> made a change in your system, since the UID is the same for all.
I can spell soodoo.. have used it for years, and advocate its use. there is
a hidden agenda here, can't talk about it.
> > otherwords
> >
> > jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
>
> I also truly hope that this was just a quick copy by you, and that you are
> not truly discussing a system here that allows the password file to
> actually contain the password. Please tell me that your password file is at
> least shadowed, and that was just a typo.
I think clear text is the only way. makes it easier to remember your
passwords :)
Ok , that was sarcastic. Sorry.. Um, OTP, Kerb, SSH, Shadow, etc are
things I use, as needed, in my networks.
> > The argument is that way you don't hav to give out the root password,
> > you can just nuke a users UID=0 equiv account when the leave and not
> > have to change the real root account.
>
> I will also supply you with a bit of advice, one that I see even using SSH
> over the network to my own machines:
>
> "Don't login as root, use su"
Yes, its amazing the number of people that allow this. People with "cred
and respect" in the community.....
> > Now, don't flame me over the question, but provide valid pro's or con's
> > for this practice from your experience.
>
> There are no positive aspects to this practice. I suggest that you get the
> wonderful red book (now colored purple, last I recall) by Evi Nemeth et al,
> and study it thoroughly.
I've got Evi's rainbow on my shelf (all editions of this FINE FINE book,
Yellow, Red, Purple I beleive, right next to Dragon Book, well dog eared
K&R (Pre ANSI, and Post ANSI))
thanks for the comments
More information about the NANOG
mailing list