From owner-freebsd-security  Fri Dec  8  7: 6:58 2000
From owner-freebsd-security@FreeBSD.ORG  Fri Dec  8 07:06:55 2000
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.arch.bellsouth.net (ns1.arch.bellsouth.net [205.152.173.2])
	by hub.freebsd.org (Postfix) with ESMTP id 9ACA337B401
	for <security@freebsd.org>; Fri,  8 Dec 2000 07:06:54 -0800 (PST)
Received: from bar (ckhome [24.31.106.127])
	by ns1.arch.bellsouth.net (8.9.1a/8.9.1) with SMTP id KAA23688;
	Fri, 8 Dec 2000 10:06:52 -0500 (EST)
From: "Christian Kuhtz" <ck@arch.bellsouth.net>
To: "Forrest Houston" <fhouston@east.isi.edu>
Cc: <security@freebsd.org>
Subject: RE: toor account
Date: Fri, 8 Dec 2000 10:05:19 -0500
Message-ID: <NEBBJKIJGLMGELMBGHEOMEHNCHAA.ck@arch.bellsouth.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
In-Reply-To: <Pine.WNT.4.10.10012080958150.-531279@ipce-adm.east.isi.edu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Still bad policy.  Seen this exact thing blow up too many times.  If you need
distributed admin rights, use sudo.

--
Christian Kuhtz <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm
Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S.
"I speak for myself only."

> -----Original Message-----
> From: Forrest Houston [mailto:fhouston@east.isi.edu]
> Sent: Friday, December 08, 2000 10:05 AM
> To: Christian Kuhtz
> Cc: security@FreeBSD.ORG
> Subject: RE: toor account
>
>
> Personally I've found the toor account helpful on "shared" machines.  So
> if there a group that has primary sysadmin responsibility for the machine
> they get the root password.  However as the network admin there might be
> times things need to change/fix something so the netadmin has the toor
> password.  That way each group can use their own password schemes, which
> will also hopefully eliminate the need for password lists.
>
> Just a thought
> Forrest
>
> On Fri, 8 Dec 2000, Christian Kuhtz wrote:
>
> >
> > Sorry, no coffee yet. Let's try this again.
> >
> > Inconsistent site policy is a bad practice.  Choose one.  Worse,
> never have
> > two
> > role accounts for the same function.
> >
>
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message