From owner-freebsd-questions Thu Sep 14 5: 6:54 2000 Delivered-To: freebsd-questions@freebsd.org Received: from srcso.globis.ru (globis.ru [212.248.80.7]) by hub.freebsd.org (Postfix) with ESMTP id 6E85337B424 for ; Thu, 14 Sep 2000 05:06:50 -0700 (PDT) Received: from raduga.sochi.net (raduga.sochi.net [212.248.82.76]) by srcso.globis.ru (8.9.3/8.9.3) with ESMTP id QAA05066 for ; Thu, 14 Sep 2000 16:23:43 +0400 (MSD) (envelope-from igor@raduga.sochi.net) Received: (from igor@localhost) by raduga.sochi.net (8.10.0/8.10.0) id e8EC6iU32606 for freebsd-questions@FreeBSD.ORG; Thu, 14 Sep 2000 16:06:44 +0400 Date: Thu, 14 Sep 2000 16:06:44 +0400 From: Igor Roboul To: freebsd-questions@FreeBSD.ORG Subject: Re: Root Shells Message-ID: <20000914160644.C31439@linux.rainbow> Reply-To: igorr@crosswinds.net Mail-Followup-To: freebsd-questions@FreeBSD.ORG References: <20000914090047.C22658@linux.rainbow> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre4i In-Reply-To: ; from roth@iamexwi.unibe.ch on Thu, Sep 14, 2000 at 01:42:18PM +0200 X-Operating-System: Linux linux.rainbow 2.2.14-plus-SMP X-Best-Window-Manager: Window Maker (www.windowmaker.org) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Sep 14, 2000 at 01:42:18PM +0200, Tobias Roth wrote: > > > Over the last few months I have become quite used to zsh, and have set the > > > root account on one of my boxes to use it. However when a friend of mine saw > > > this he seemed to think it a very bad thing, noting that zsh is not in the > > > root partition etc. My question is, is this really a problem? can't I just > > > run sh if the need arises? > > This is bad. This is bad just because you work as root always. If you don't do > > this, then why do you need zsh for root. Also, it is good idea to use static > > linked shell for root. Also, if some error will be found in sh/csh it will be > > fixed "automagically" after next cvsup (or next next cvsup). But for zsh you > > need reinstall it from ports. > > That's what the toor account is for. In normal operation, you use the toor > account with the shell of your choice when you need superuser privileges, When you do normal work, you DON'T need root/toor account. If you need root to start/stop for example Apache, use sudo|su1|... with some alias. YOU DON'T NEED type shell commands as root. This is my security policy, which protects ME from ME. There are really not so many things you need to be root. All these things you can add to sudoers|su1.priv|... files. And do somehing like this: su1 apachectl stop with /etc/su1.priv: [snip] # Web server control define WWWADMIN igor ask never alias apachectl /usr/local/apache/bin/apachectl allow WWWADMIN prefix apachectl [snip] -- Igor Roboul, Unix System Administrator & Programmer @ sanatorium "Raduga", Sochi, Russia http://www.brainbench.com/transcript.jsp?pid=304744 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message