From owner-freebsd-security@FreeBSD.ORG Fri Jul 9 20:24:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4645416A4CE for ; Fri, 9 Jul 2004 20:24:32 +0000 (GMT) Received: from brainbox.winbot.co.uk (cpc2-mapp3-6-0-cust221.nott.cable.ntl.com [81.101.250.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E99F43D3F for ; Fri, 9 Jul 2004 20:24:31 +0000 (GMT) (envelope-from brain@winbot.co.uk) Received: from brain.brainbox.winbot.co.uk ([10.0.0.2] helo=brain) by brainbox.winbot.co.uk with smtp (Exim 4.24; FreeBSD) id 1Bj1xH-000CaO-3d for freebsd-security@freebsd.org; Fri, 09 Jul 2004 21:26:47 +0100 Date: Fri, 9 Jul 2004 21:26:40 +0100 From: "Craig Edwards" To: "freebsd-security@freebsd.org" Organization: Crypt Software X-mailer: Foxmail 5.0 beta2 [en] Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "neuron.brainbox.winbot.co.uk", hasmessageblock similar future email. If you have any questions, see brain@winbot.co.uk for details.linux, and as soon as i found the toor account i deleted it after research deciding that having two uid 0 accounts on my system was a really really bad idea. I guess there are times when its good to have a second account with its usefulness. In most compile steps, only one phase of the compile requires root (make install), which cuts down greatly the amount of time you spend as a superuser, and the amount of damage you can do (accidentally or otherwise). [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description -------------------------------------------------- 0.0 TO_ADDRESS_EQ_REAL To: repeats address as real name Subject: Re: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: brain@winbot.co.uk List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 20:24:32 -0000 i'm relatively new to freebsd, having moved from linux, and as soon as i found the toor account i deleted it after research deciding that having two uid 0 accounts on my system was a really really bad idea. I guess there are times when its good to have a backup, but then you have to weigh up the costs of auditing that second account with its usefulness. In most compile steps, only one phase of the compile requires root (make install), which cuts down greatly the amount of time you spend as a superuser, and the amount of damage you can do (accidentally or otherwise). Thanks, Craig >Wrote Peter C. Lai: > >> On Fri, Jul 09, 2004 at 11:58:35AM +0200, Anders Dahlqvist wrote: >> > torsdagen den 8 juli 2004 17.29 skrev Brandon Grace: >> > > I made a mistake setting my shell and have set the root users shell to >> > > /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix this. >> > > The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su. >> > >> > ...and I gather that "su - toor" doesn't work either for some reason or other? >> >> toor has a disabled (*) password by default. What Brannon should have done was >> set a password for toor in the beginning, without mucking around with root's >> shell. But as a rule of thumb, you're probably superuser way too much if you >> develop an urge to change it shell anyway. > >Some of us either have to do extensive work as root (I myself >extensively use shell programming on the command line -- which is not >easy nor sensible in either csh or tcsh), or find it extremely >annoying to use the least favorite shell during an emergency. > >On the other hand, I've run across a sysadmin who always enables his >toor accounts -- and changes its shell to bash. As a result, not only >is there an alternate root account (good in case 'root' trampled on by >accident or purpose), but you can get root bash as a login shell while >leaving the real root to its normal shell. > >Since then I've adopted this tip on the BSD system I run. > > -Daniel >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >