From owner-freebsd-questions Wed Oct 9 21:21:48 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33BBC37B401 for ; Wed, 9 Oct 2002 21:21:46 -0700 (PDT) Received: from mail.bobj.org (cpe-gan-68-101-90-216-cmcpe.ncf.coxexpress.com [68.101.90.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id 598A443E3B for ; Wed, 9 Oct 2002 21:21:45 -0700 (PDT) (envelope-from stest033@garbonzo.hos.ufl.edu) Received: from bobj.dyndns.org (dhcp6.wb4jcm.org [192.168.132.167]) by neti.bobj.org with esmtp; Thu, 10 Oct 2002 00:21:33 -0400 Content-Type: text/plain; charset="iso-8859-1" From: Bob Johnson To: "Pranav A. Desai" , freebsd-questions@FreeBSD.ORG Subject: Re: How to create another account with root privileges ? Date: Thu, 10 Oct 2002 00:21:21 -0400 X-Mailer: KMail [version 1.4] References: In-Reply-To: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200210100021.21979.stest033@garbonzo.hos.ufl.edu> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wednesday 09 October 2002 09:02 pm, Pranav A. Desai appears to have wr= itten: > Hi! > I have been asked to create admin accounts for a machine such that > all of them can access that machine as root but with different > username and password. > In many environments, this is reasonable. Sometimes you have=20 more than one person who is must have full administrative rights,=20 unless you plan to have your one administrator be on 24/7 call. It is=20 good policy to prohibit anyone, even administrators, from sharing=20 accounts, so you give each admin their own account. Of course, if=20 they only need limited admin rights, then sudo is probably a better=20 solution. Talk to your customer and find out what they are really trying= =20 to accomplish. The "toor" account is an example of exactly what you want, although=20 by default it is disabled (by an invalid password field). To create a=20 similar account, use "vipw" to edit the password file. Copy the root ent= ry,=20 but give each person their own name and the shell of their choice (the=20 shell must be in /etc/shells). =20 Leave everything else the same as for root. If you copy the password=20 field from the root account, then the new admin account will have the=20 same password, which should be changed by the user of the account. =20 Also, never change the shell for root. It needs to be as it is for some=20 things to work right. That's why the toor account exists: so you can=20 set up an admin account with your choice of shell. The big disadvantage of this is that if you have three admin accounts,=20 an attacker has three times greater chance of cracking the root=20 password if they get their hands on your password file. Stress to the=20 admins that it is critical that they use strong passwords on the admin=20 accounts. A good way to create a strong password is to come up=20 with a sentence of 8 or more words known only to yourself (i.e. NOT=20 a well known phrase), and take the first letter of each word to form an=20 acronym. Throw in some strange capitalization and a few special=20 characters for best effect. For example, the phrase might be=20 "my mother dances with bears (in the moonlight)", which gives me a=20 password of "mMdwb(itm)". If the phrase used is widely known, this=20 method becomes as easy to crack as single words of the same length,=20 but if you use unique phrases the resulting passwords are very good. Sure, the admins can do bad things and cover their tracks if they put=20 enough effort into it, but they can do that if they share a single admin=20 account, also. Hope that helps. - Bob > Thanks > > -pranav > > ******************************************************************* > Pranav A. Desai > > Home :- (937) 294 1381 > ******************************************************************* > > On 9 Oct 2002, Kirk Strauser wrote: > > At 2002-10-09T17:36:02Z, "Pranav A. Desai" writes= : > > > How can I create a user account that can function like a root > > > account with the same prilieges ? I need to create three such > > > account. Is it possible ? > > > > Short answer: you probably don't really want to do this. What > > problem are you needing to solve by having multiple root accounts? > > -- > > Kirk Strauser > > In Googlis non est, ergo non est. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message