Date: Sat, 10 Jul 2004 12:34:57 -0400 From: Bill Vermillion <bv@wjv.com> To: freebsd-security@freebsd.org Subject: Re: Root users shell Message-ID: <20040710163457.GD21011@wjv.com> In-Reply-To: <20040710120104.88C8116A4E2@hub.freebsd.org> References: <20040710120104.88C8116A4E2@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Message: 1 > Date: Fri, 9 Jul 2004 09:55:40 -0700 (PDT) > From: Roger Marquis <marquis@roble.com> > Subject: Re: Root users shell == no existant shell /bin/bash > To: freebsd-security@freebsd.org > Message-ID: <20040709165540.2799D2C1CC@mx5.roble.com> > Content-Type: TEXT/PLAIN; charset=US-ASCII > "Peter C. Lai" wrote: > > as a rule of thumb, you're probably superuser way too much if you > > develop an urge to change it shell anyway. > Where do people come up with these folk "rules"? I spend all day > working in various root shells as part of my job. Couldn't do it > otherwise. > > toor has a disabled (*) password by default. What Brannon > > should have done was set a password for toor in the beginning, > > without mucking around with root's shell. > In 8 years of BSD administration I've never seen the toor > account used. IMO, as a matter of security, KIS, and for > improved cross-platform compatibility it should be removed from > the distribution. I've used it a few times. Since about 1996 I've used the ksh as the default root shell on all Unix systems I've admined - commercial distributions and FreeBSD. I also set up the commericial Unixen to same way FreeBSD does, with /root being the owners home directory instead of /. It's one more little thing that can help prevent a mistype from removing critical files, by accident, or if there is more than one person with root access. Having *toor* with the default /bin/sh came in handy. Something in the gnu tools had changed and I was having a bizarre failure on building a port. Logging out and back in under *toor* showed there was an incompatibility between the current Gnu approach and the ksh I was running. A quick upgrade to the current sources from AT&T/David Korn fixed that. Having an alternate and simple shell can be handy. I've not had to use toor very often. And I've used the live-CD - #2 CD - twice. But it was a lifesaver both times. I moved the ISP I was working for in 1995 completely off the SGI Challenge servers and the multi $K netscape commercial product to FreeBSD and Apache in 1996. Far more speed on platforms that weren't as powerful. I don't see anything more insecure with having both a root and toor account. And I've had exactly ONE security breech. I had missed ONE machine on a telnet upgrade - late 1990s. I caught it within hours ot the daily security email. I keep them as tight as I can as I'm on a 10Gbps backbone - but I've never removed toor. But that's just my approach. Bill -- Bill Vermillion - bv @ wjv . com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040710163457.GD21011>