From owner-freebsd-chat Mon Jan 7 21:59:14 2002 Delivered-To: freebsd-chat@freebsd.org Received: from catalyst.sasknow.net (catalyst.sasknow.net [207.195.92.130]) by hub.freebsd.org (Postfix) with ESMTP id 1BFE637B402 for ; Mon, 7 Jan 2002 21:59:10 -0800 (PST) Received: from localhost (ryan@localhost) by catalyst.sasknow.net (8.11.6/8.11.6) with ESMTP id g085x5o29557; Mon, 7 Jan 2002 23:59:05 -0600 (CST) (envelope-from ryan@sasknow.com) X-Authentication-Warning: catalyst.sasknow.net: ryan owned process doing -bs Date: Mon, 7 Jan 2002 23:59:05 -0600 (CST) From: Ryan Thompson X-X-Sender: To: Arcady Genkin Cc: Subject: Re: Multiple root accounts In-Reply-To: <87zo3p776c.fsf@tea.thpoon.com> Message-ID: <20020107233232.O26769-100000@catalyst.sasknow.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Arcady Genkin wrote to chat@FreeBSD.ORG: > [...] > Here's what I can think of with regards to having one UID 0 account > per each admin: > > Pros: > - each admin can have his own customization (dot files etc.) Yes. > - possibly, accountability is increased Yes, for the normal things. Although anybody with superuser privs can easily mangle logs, etc. > - each admin can choose a password that's easy to remember for him Yes, and have the freedom to change that password independently of the other admins. > - no need to communicate a new password, like it would have to be > communicated if one root account were shared > > Cons: > - there is a chance that some admin would choose a weak root password Yes, but if you have an admin that does that, he/she should really NOT have root access ;-) > - anything else?.. > > What am I missing? It would be nice to hear how others approach > this problem. Multiple accounts with uid, gid = 0 is the better approach of the two. Also check out sudo (/usr/ports/security/sudo). It allows you to pick and choose actions for each user that are run with elevated privs. It provides a much more granular approach to delegating sysadmin tasks. But, I feel as though I should state my opinion in the larger picture. Having more than one full administrator for each machine, IMO, is usually a bad idea, unless perhaps it's a toy box for development, and even then you need some solid network ground rules. If you need to share the administration of one machine, I favor the following approach: o ONE responsible, accountable administrator with root access o No one else with a root account For each delegated responsibility "x", follow this questioning, in this order: 1. Can x be done by a normal user? (More often than not, the answer is "yes", or "yes, with a few changes to ownerships and group membership"). If yes, do it. 2. Can x be implemented securely by a standard root process (eg, cron). If yes, do it. 3. Is there an alternative to x that does not require superuser privs? (i.e., move things to SQL database, install a competing version of the program, etc) 4. Ok, if x really requires root, can it be executed with sudo? (I am not aware of very many things that can't be done with sudo.. so the answer is probably "yes"). 5. If all else fails, the single root user can do it. If it is a sufficiently time consuming task, you'll be looking for ways to do it in 1..4 pretty soon. :-) Sometimes, you'll find tradeoffs, and the above, by far, isn't an exact science, but as a general approach, it seems to work quite well for myself and others. If you force yourself to consider option 1 before 2, etc, as opposed to being lazy and doing everything as root (or, worse yet, handing out root passwords) you'll most often end up with a more stable and secure system. Even if you don't need to delegate any responsibilities, this is a good approach to follow, to shield you from accidental root mishaps and the like. To reuse a tired cliche, giving someone root access to perform two or three tasks is like using a sledgehammer to crack a walnut. Seek viable alternatives! :-) - Ryan -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message