Date: Thu, 3 May 2001 06:07:52 +1000 From: Sue Blake <sue@welearn.com.au> To: John Congdon <john@tradeweb.net> Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG> Subject: Re: Disabling The Root Account Message-ID: <20010503060752.A6584@welearn.com.au> In-Reply-To: <71E79DA61328D311B4D10020AFF78E4218DBEE@bdc.orlando.tradeweb.net>; from john@tradeweb.net on Wed, May 02, 2001 at 10:49:00AM -0400 References: <71E79DA61328D311B4D10020AFF78E4218DBEE@bdc.orlando.tradeweb.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 02, 2001 at 10:49:00AM -0400, John Congdon wrote:
> I am considering changing root's shell to /bin/false or the like.
> And doing everything via sudo.
>
> Does anyone have any insight into this? Is it not advisable to do this?
There is a safer, better way to disable the root account if you want to
have only sudo access.
Work with a partner to change the root password. Enter the first four
(unrememberable randomish) characters of the password, and write them
on a piece of paper while nobody's watching. Fold the paper back after
the last character so that your characters are unseen and the next four
can be written down.
Have your partner enter another four characters of the password without
telling you what they are, and writing them down on the paper. You'll
have to enter your password components a second time, this time reading
from the folded/flipped paper, which checks that the paper is accurate.
Fold the paper the other way so that neither of you knows the other
four characters. Put the much folded paper into a sealed envelope,
label and date it clearly, and store it in the safe and/or off site.
Check the envelope's integrity now and then, and repeat the whole
process every x months to make a new root password just in case.
Educate sudo users about the effective equivalence of their password
to the root password, password selection, not leaving terminal, etc.
No living soul knows the root password. In case of real need, someone
only has to retrieve the envelope and break the seal. If that
happened, you'd go through the process again for a new password. Just
remember that anyone who gets access to visudo or the config file
could silently change the root password to something they know.
To perform a task that simply won't work with sudo, allow yourself to
use the command 'sudo su' temporarily. Sometimes I have used a shell
script that runs the rest of the command line and pipes output to a pager
in order to do stuff with sudo, but that's risky to have lying around.
I've done root passwords like this for years and nobody's _ever_ needed
to access the envelope, but its existence allows the suits to trust the
sysadmin and therefore promotes compliance.
--
Regards,
-*Sue*-
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010503060752.A6584>