Date: Fri, 9 Jul 2004 21:26:40 +0100 From: "Craig Edwards" <brain@winbot.co.uk> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: Re: Root users shell == no existant shell /bin/bash Message-ID: <E1Bj1xH-000CaO-3d@brainbox.winbot.co.uk>
next in thread | raw e-mail | index | archive | help
i'm relatively new to freebsd, having moved from linux, and as soon as i found the toor account i deleted it after research deciding that having two uid 0 accounts on my system was a really really bad idea. I guess there are times when its good to have a backup, but then you have to weigh up the costs of auditing that second account with its usefulness. In most compile steps, only one phase of the compile requires root (make install), which cuts down greatly the amount of time you spend as a superuser, and the amount of damage you can do (accidentally or otherwise). Thanks, Craig >Wrote Peter C. Lai: > >> On Fri, Jul 09, 2004 at 11:58:35AM +0200, Anders Dahlqvist wrote: >> > torsdagen den 8 juli 2004 17.29 skrev Brandon Grace: >> > > I made a mistake setting my shell and have set the root users shell to >> > > /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix this. >> > > The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su. >> > >> > ...and I gather that "su - toor" doesn't work either for some reason or other? >> >> toor has a disabled (*) password by default. What Brannon should have done was >> set a password for toor in the beginning, without mucking around with root's >> shell. But as a rule of thumb, you're probably superuser way too much if you >> develop an urge to change it shell anyway. > >Some of us either have to do extensive work as root (I myself >extensively use shell programming on the command line -- which is not >easy nor sensible in either csh or tcsh), or find it extremely >annoying to use the least favorite shell during an emergency. > >On the other hand, I've run across a sysadmin who always enables his >toor accounts -- and changes its shell to bash. As a result, not only >is there an alternate root account (good in case 'root' trampled on by >accident or purpose), but you can get root bash as a login shell while >leaving the real root to its normal shell. > >Since then I've adopted this tip on the BSD system I run. > > -Daniel >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1Bj1xH-000CaO-3d>