Date: Thu, 10 Oct 2002 07:04:35 +0200 From: Marc Perisa <perisa@porsche.de> To: Peter Leftwich <Hostmaster@Video2Video.Com> Cc: FreeBSD LIST <FreeBSD-Questions@FreeBSD.Org> Subject: Re: How to create another account with root privileges ? Message-ID: <3DA50A63.2050005@porsche.de> References: <20021010003307.C41584-100000@earl-grey.cloud9.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Leftwich wrote: > On Thu, 10 Oct 2002, Bob Johnson wrote: > >>On Wednesday 09 October 2002 09:02 pm, Pranav A. Desai appears to have written: >> >>>Hi! I have been asked to create admin accounts for a machine such that >>>all of them can access that machine as root but with different >>>username and password. >> >>In many environments, this is reasonable. Sometimes you have >>more than one person who is must have full administrative rights, >>unless you plan to have your one administrator be on 24/7 call. It is >>good policy to prohibit anyone, even administrators, from sharing >>accounts, so you give each admin their own account. Of course, if >>they only need limited admin rights, then sudo is probably a better >>solution. Talk to your customer and find out what they are really trying >>to accomplish. > > > man su Nope. man sudo - as Bob Johnson said. Or man super. Or or or. Today there is a bunch of alternatives. Take a look into /usr/ports/security for wrappers. (A colleague has written his own some years ago when there were no alternative). > > >>The "toor" account is an example of exactly what you want, although >>by default it is disabled (by an invalid password field). To create a >>similar account, use "vipw" to edit the password file. Copy the root entry, >>but give each person their own name and the shell of their choice (the >>shell must be in /etc/shells). > > > What -is- that toor (root backwards) account for anyways?? Do a little google search. Or it is mentioned in the handbook (iirc). > > Is there a command similar to vipw that uses a simpler editor, like pico? IIRC no. Get used to vi. You will have to use it sometimes in the future. If you do any commercial *nix there normally isn't anything else (ok beside from ed :)) installed by default. And if you are a consultant and go to a customer and asking for pico ... > > >>Leave everything else the same as for root. If you copy the password >>field from the root account, then the new admin account will have the >>same password, which should be changed by the user of the account. >>Also, never change the shell for root. It needs to be as it is for some >>things to work right. That's why the toor account exists: so you can >>set up an admin account with your choice of shell. > > > I always log in 100% of the time to my box as root and my shell is tcsh Eum. DON'T. Use su/super/sudo mostly ANY time you have to do work as root. sudo provides you with a log of what you have done. That might come in handy if you typed "rm -rf */*1*/??g*/*html" ... it will get expanded in the log - and then you know what to restore :) Also if more than user is administrating you even know when who had done what (ok, you can change the log - but that will get obvious). And the biggest plus is: NOONE has to know the root password. You can let a manager set it, write it down to a paper, put that into an envelop, seal the envelop and put that envelop into a safe. Some companies (like banks, assurances) have a policy to do so. > > Does it matter that (I think) I changed the shell for root? > Yes, it does. If you boot single-user and/or your /usr partition is corrupted (you have to do a fsck) you can not use that shell, because it is on that partition. For other OSes (like HP-UX) there is the problem that other shells than /bin/sh are *not* statically linked - so without /usr you can do nothing - but you must. (I don't know if that applies to FreeBSD too - if not take it as a general warning.) > >>The big disadvantage of this is that if you have three admin accounts, >>an attacker has three times greater chance of cracking the root >>password if they get their hands on your password file. Stress to the >>admins that it is critical that they use strong passwords on the admin >>accounts. A good way to create a strong password is to come up >>with a sentence of 8 or more words known only to yourself (i.e. NOT >>a well known phrase), and take the first letter of each word to form an >>acronym. Throw in some strange capitalization and a few special >>characters for best effect. For example, the phrase might be >>"my mother dances with bears (in the moonlight)", which gives me a >>password of "mMdwb(itm)". If the phrase used is widely known, this >>method becomes as easy to crack as single words of the same length, >>but if you use unique phrases the resulting passwords are very good. > > > Good point about crackers and their having three times the power! > > First they have to tell what user accounts exists. .... Hope that helps Marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DA50A63.2050005>