From owner-freebsd-questions@FreeBSD.ORG Fri May 2 02:43:27 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AE8A37B401 for ; Fri, 2 May 2003 02:43:27 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 993CD43FCB for ; Fri, 2 May 2003 02:43:25 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h429hDw0011768 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 2 May 2003 10:43:13 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h429hDUB011767; Fri, 2 May 2003 10:43:13 +0100 (BST) (envelope-from matthew) Date: Fri, 2 May 2003 10:43:13 +0100 From: Matthew Seaman To: Fedder Skovgaard Message-ID: <20030502094313.GA11643@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Fedder Skovgaard , freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-38.8 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT version=2.53 X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) cc: freebsd-questions@freebsd.org Subject: Re: Being root via ssl X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 09:43:27 -0000 --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 02, 2003 at 11:13:13AM +0200, Fedder Skovgaard wrote: > I've got a 5.0-release box running remotely, and access it through ssl. I= =20 > (obviously) created a default user account for day to day work, but=20 > discovered that I wasn't able to "su" when logged in via ssl.=20 I take it you mean 'ssh' rather than ssl. Once you've logged in via ssh (or any other mechanism), you have full access to all the permissions of your account. Thus if you can't su to root from a ssh session, then it's more than probable that you couldn't su even if logged in to that account on the console. Now, the reason that you can't su from your personal account is a FAQ: you need to be a member of group 'wheel' before you can do that. To make yourself a member of the wheel group, log in as root and: # pw group mod -n wheel -m fsk and when you log into the fsk account again, you should be able to su. =20 > The only way I (As a newbie) could be able to change to root was to allow= =20 > direct root login via ssl, which was documented as being something one=20 > quite seldomly would want to do. Yes. This is true. For interactive logins a) you really don't want to run as root for the whole session, just for those commands that require root priviledge and b) requiring people to log in under their own UIDs and then use su(1) or sudo(8) or equivalent establishes an audit trail which is invaluable when it all goes horribly wrong. However, this is not a hard and fast rule, and local ideosyncrasies may override common sense. Note that a) applies just as well to logins via the console as well as via the network. However, don't even think about locking root out of console logins unless you fully understand the consequences. > What is the preferred way of doing this, and is it _really_ dangerous to= =20 > allow root login via ssl ? Make a rule to always log in under your own user ID, and then only use su(1) absolutely when necessary: preferably for single command lines only. Even better is to install sudo(8) or super(8) from the ports, which allow you to set up nominated users to run commands with root privilege but without having to hand out the root password. This is a good idea even if it's your own personal machine and you are the only user. The one great exception to all this is where you need to remotely run a privileged command via ssh *automatically* and without user intervention to type in passwords -- eg. to kick off a backup in the middle of the night. In this case you should use ssh key based authorization: generate a passwordless key pair for root, but use the 'command=3D/foo/bar/baz' syntax in root's authorized_keys file to limit what can be run via that particular key. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+sj2xdtESqEQa7a0RAmoiAJ9CyxCA9v5KhZ76DF3tQ3S5DY3e3gCcC9sa gEQcDP0xquYOoapYym+7xxQ= =DZt9 -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh--