From owner-freebsd-security@FreeBSD.ORG Sat Jul 10 16:34:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5812C16A4CE for ; Sat, 10 Jul 2004 16:34:59 +0000 (GMT) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FA7F43D3F for ; Sat, 10 Jul 2004 16:34:58 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.12.11/8.12.11) with ESMTP id i6AGYvgw022157 for ; Sat, 10 Jul 2004 12:34:57 -0400 (EDT) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.11/8.12.11/Submit) id i6AGYvv1022156 for freebsd-security@freebsd.org; Sat, 10 Jul 2004 12:34:57 -0400 (EDT) (envelope-from bv) Date: Sat, 10 Jul 2004 12:34:57 -0400 From: Bill Vermillion To: freebsd-security@freebsd.org Message-ID: <20040710163457.GD21011@wjv.com> References: <20040710120104.88C8116A4E2@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040710120104.88C8116A4E2@hub.freebsd.org> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.6i Subject: Re: Root users shell X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bv@wjv.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jul 2004 16:34:59 -0000 > Message: 1 > Date: Fri, 9 Jul 2004 09:55:40 -0700 (PDT) > From: Roger Marquis > Subject: Re: Root users shell == no existant shell /bin/bash > To: freebsd-security@freebsd.org > Message-ID: <20040709165540.2799D2C1CC@mx5.roble.com> > Content-Type: TEXT/PLAIN; charset=US-ASCII > "Peter C. Lai" wrote: > > as a rule of thumb, you're probably superuser way too much if you > > develop an urge to change it shell anyway. > Where do people come up with these folk "rules"? I spend all day > working in various root shells as part of my job. Couldn't do it > otherwise. > > toor has a disabled (*) password by default. What Brannon > > should have done was set a password for toor in the beginning, > > without mucking around with root's shell. > In 8 years of BSD administration I've never seen the toor > account used. IMO, as a matter of security, KIS, and for > improved cross-platform compatibility it should be removed from > the distribution. I've used it a few times. Since about 1996 I've used the ksh as the default root shell on all Unix systems I've admined - commercial distributions and FreeBSD. I also set up the commericial Unixen to same way FreeBSD does, with /root being the owners home directory instead of /. It's one more little thing that can help prevent a mistype from removing critical files, by accident, or if there is more than one person with root access. Having *toor* with the default /bin/sh came in handy. Something in the gnu tools had changed and I was having a bizarre failure on building a port. Logging out and back in under *toor* showed there was an incompatibility between the current Gnu approach and the ksh I was running. A quick upgrade to the current sources from AT&T/David Korn fixed that. Having an alternate and simple shell can be handy. I've not had to use toor very often. And I've used the live-CD - #2 CD - twice. But it was a lifesaver both times. I moved the ISP I was working for in 1995 completely off the SGI Challenge servers and the multi $K netscape commercial product to FreeBSD and Apache in 1996. Far more speed on platforms that weren't as powerful. I don't see anything more insecure with having both a root and toor account. And I've had exactly ONE security breech. I had missed ONE machine on a telnet upgrade - late 1990s. I caught it within hours ot the daily security email. I keep them as tight as I can as I'm on a 10Gbps backbone - but I've never removed toor. But that's just my approach. Bill -- Bill Vermillion - bv @ wjv . com