From owner-freebsd-questions Wed Oct 9 21:57:24 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60A2537B401 for ; Wed, 9 Oct 2002 21:57:21 -0700 (PDT) Received: from gate21.fw.porsche.de (gate23.fw.porsche.de [193.174.9.99]) by mx1.FreeBSD.org (Postfix) with SMTP id C91EF43E42 for ; Wed, 9 Oct 2002 21:57:19 -0700 (PDT) (envelope-from perisa@porsche.de) Received: (qmail 18337 invoked from network); 10 Oct 2002 05:04:47 -0000 Received: from unknown (HELO wuxin011.ibd.porsche.de) (141.36.65.1) by 193.197.149.150 with SMTP; 10 Oct 2002 05:04:47 -0000 Received: (qmail 4659 invoked from network); 10 Oct 2002 04:57:17 -0000 Received: from beastie.ibd.porsche.de (HELO porsche.de) (141.36.3.29) by smtp4cli.ibd.porsche.de with SMTP; 10 Oct 2002 04:57:13 -0000 Message-ID: <3DA50A63.2050005@porsche.de> Date: Thu, 10 Oct 2002 07:04:35 +0200 From: Marc Perisa User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020709 X-Accept-Language: en, de-de, es-es MIME-Version: 1.0 To: Peter Leftwich Cc: FreeBSD LIST Subject: Re: How to create another account with root privileges ? References: <20021010003307.C41584-100000@earl-grey.cloud9.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Peter Leftwich wrote: > On Thu, 10 Oct 2002, Bob Johnson wrote: > >>On Wednesday 09 October 2002 09:02 pm, Pranav A. Desai appears to have written: >> >>>Hi! I have been asked to create admin accounts for a machine such that >>>all of them can access that machine as root but with different >>>username and password. >> >>In many environments, this is reasonable. Sometimes you have >>more than one person who is must have full administrative rights, >>unless you plan to have your one administrator be on 24/7 call. It is >>good policy to prohibit anyone, even administrators, from sharing >>accounts, so you give each admin their own account. Of course, if >>they only need limited admin rights, then sudo is probably a better >>solution. Talk to your customer and find out what they are really trying >>to accomplish. > > > man su Nope. man sudo - as Bob Johnson said. Or man super. Or or or. Today there is a bunch of alternatives. Take a look into /usr/ports/security for wrappers. (A colleague has written his own some years ago when there were no alternative). > > >>The "toor" account is an example of exactly what you want, although >>by default it is disabled (by an invalid password field). To create a >>similar account, use "vipw" to edit the password file. Copy the root entry, >>but give each person their own name and the shell of their choice (the >>shell must be in /etc/shells). > > > What -is- that toor (root backwards) account for anyways?? Do a little google search. Or it is mentioned in the handbook (iirc). > > Is there a command similar to vipw that uses a simpler editor, like pico? IIRC no. Get used to vi. You will have to use it sometimes in the future. If you do any commercial *nix there normally isn't anything else (ok beside from ed :)) installed by default. And if you are a consultant and go to a customer and asking for pico ... > > >>Leave everything else the same as for root. If you copy the password >>field from the root account, then the new admin account will have the >>same password, which should be changed by the user of the account. >>Also, never change the shell for root. It needs to be as it is for some >>things to work right. That's why the toor account exists: so you can >>set up an admin account with your choice of shell. > > > I always log in 100% of the time to my box as root and my shell is tcsh Eum. DON'T. Use su/super/sudo mostly ANY time you have to do work as root. sudo provides you with a log of what you have done. That might come in handy if you typed "rm -rf */*1*/??g*/*html" ... it will get expanded in the log - and then you know what to restore :) Also if more than user is administrating you even know when who had done what (ok, you can change the log - but that will get obvious). And the biggest plus is: NOONE has to know the root password. You can let a manager set it, write it down to a paper, put that into an envelop, seal the envelop and put that envelop into a safe. Some companies (like banks, assurances) have a policy to do so. > > Does it matter that (I think) I changed the shell for root? > Yes, it does. If you boot single-user and/or your /usr partition is corrupted (you have to do a fsck) you can not use that shell, because it is on that partition. For other OSes (like HP-UX) there is the problem that other shells than /bin/sh are *not* statically linked - so without /usr you can do nothing - but you must. (I don't know if that applies to FreeBSD too - if not take it as a general warning.) > >>The big disadvantage of this is that if you have three admin accounts, >>an attacker has three times greater chance of cracking the root >>password if they get their hands on your password file. Stress to the >>admins that it is critical that they use strong passwords on the admin >>accounts. A good way to create a strong password is to come up >>with a sentence of 8 or more words known only to yourself (i.e. NOT >>a well known phrase), and take the first letter of each word to form an >>acronym. Throw in some strange capitalization and a few special >>characters for best effect. For example, the phrase might be >>"my mother dances with bears (in the moonlight)", which gives me a >>password of "mMdwb(itm)". If the phrase used is widely known, this >>method becomes as easy to crack as single words of the same length, >>but if you use unique phrases the resulting passwords are very good. > > > Good point about crackers and their having three times the power! > > First they have to tell what user accounts exists. .... Hope that helps Marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message