From owner-freebsd-questions Wed Oct 9 21:38:11 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F14037B401 for ; Wed, 9 Oct 2002 21:38:09 -0700 (PDT) Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net [168.100.1.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8591043E6A for ; Wed, 9 Oct 2002 21:38:08 -0700 (PDT) (envelope-from Hostmaster@Video2Video.Com) Received: from earl-grey.cloud9.net (earl-grey.cloud9.net [168.100.1.1]) by russian-caravan.cloud9.net (Postfix) with ESMTP id 3949532682 for ; Thu, 10 Oct 2002 00:38:08 -0400 (EDT) Date: Thu, 10 Oct 2002 00:38:08 -0400 (EDT) From: Peter Leftwich X-X-Sender: To: FreeBSD LIST Subject: Re: How to create another account with root privileges ? In-Reply-To: <200210100021.21979.stest033@garbonzo.hos.ufl.edu> Message-ID: <20021010003307.C41584-100000@earl-grey.cloud9.net> Organization: Video2Video Services - http://Www.Video2Video.Com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 10 Oct 2002, Bob Johnson wrote: > On Wednesday 09 October 2002 09:02 pm, Pranav A. Desai appears to have written: > > Hi! I have been asked to create admin accounts for a machine such that > > all of them can access that machine as root but with different > > username and password. > > In many environments, this is reasonable. Sometimes you have > more than one person who is must have full administrative rights, > unless you plan to have your one administrator be on 24/7 call. It is > good policy to prohibit anyone, even administrators, from sharing > accounts, so you give each admin their own account. Of course, if > they only need limited admin rights, then sudo is probably a better > solution. Talk to your customer and find out what they are really trying > to accomplish. man su > The "toor" account is an example of exactly what you want, although > by default it is disabled (by an invalid password field). To create a > similar account, use "vipw" to edit the password file. Copy the root entry, > but give each person their own name and the shell of their choice (the > shell must be in /etc/shells). What -is- that toor (root backwards) account for anyways?? Is there a command similar to vipw that uses a simpler editor, like pico? > Leave everything else the same as for root. If you copy the password > field from the root account, then the new admin account will have the > same password, which should be changed by the user of the account. > Also, never change the shell for root. It needs to be as it is for some > things to work right. That's why the toor account exists: so you can > set up an admin account with your choice of shell. I always log in 100% of the time to my box as root and my shell is tcsh Does it matter that (I think) I changed the shell for root? > The big disadvantage of this is that if you have three admin accounts, > an attacker has three times greater chance of cracking the root > password if they get their hands on your password file. Stress to the > admins that it is critical that they use strong passwords on the admin > accounts. A good way to create a strong password is to come up > with a sentence of 8 or more words known only to yourself (i.e. NOT > a well known phrase), and take the first letter of each word to form an > acronym. Throw in some strange capitalization and a few special > characters for best effect. For example, the phrase might be > "my mother dances with bears (in the moonlight)", which gives me a > password of "mMdwb(itm)". If the phrase used is widely known, this > method becomes as easy to crack as single words of the same length, > but if you use unique phrases the resulting passwords are very good. Good point about crackers and their having three times the power! > Sure, the admins can do bad things and cover their tracks if they put > enough effort into it, but they can do that if they share a single admin > account, also. Hope that helps. > - Bob > > Thanks -pranav > > Pranav A. Desai - Home :- (937) 294 1381 > > > > On 9 Oct 2002, Kirk Strauser wrote: > > > At 2002-10-09T17:36:02Z, "Pranav A. Desai" writes: > > > > How can I create a user account that can function like a root > > > > account with the same prilieges ? I need to create three such > > > > account. Is it possible ? > > > Short answer: you probably don't really want to do this. What > > > problem are you needing to solve by having multiple root accounts? > > > Kirk Strauser > > > In Googlis non est, ergo non est. Google doesn't have new pages saved and served up 1 second ago, nor does it have unique pages that a cgi script create(d/s). -- Peter Leftwich President & Founder Video2Video Services Box 13692, La Jolla, CA, 92039 USA +1-413-403-9555 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message