Date: Mon, 7 Jan 2002 23:59:05 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Arcady Genkin <agenkin-dated-1011329481.db2849@thpoon.com> Cc: <chat@FreeBSD.ORG> Subject: Re: Multiple root accounts Message-ID: <20020107233232.O26769-100000@catalyst.sasknow.net> In-Reply-To: <87zo3p776c.fsf@tea.thpoon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Arcady Genkin wrote to chat@FreeBSD.ORG:
> [...]
> Here's what I can think of with regards to having one UID 0 account
> per each admin:
>
> Pros:
> - each admin can have his own customization (dot files etc.)
Yes.
> - possibly, accountability is increased
Yes, for the normal things. Although anybody with superuser privs can
easily mangle logs, etc.
> - each admin can choose a password that's easy to remember for him
Yes, and have the freedom to change that password independently of the
other admins.
> - no need to communicate a new password, like it would have to be
> communicated if one root account were shared
>
> Cons:
> - there is a chance that some admin would choose a weak root password
Yes, but if you have an admin that does that, he/she should really NOT
have root access ;-)
> - anything else?..
>
> What am I missing? It would be nice to hear how others approach
> this problem.
Multiple accounts with uid, gid = 0 is the better approach of the two.
Also check out sudo (/usr/ports/security/sudo). It allows you to pick
and choose actions for each user that are run with elevated privs. It
provides a much more granular approach to delegating sysadmin tasks.
But, I feel as though I should state my opinion in the larger picture.
Having more than one full administrator for each machine, IMO, is
usually a bad idea, unless perhaps it's a toy box for development, and
even then you need some solid network ground rules. If you need to
share the administration of one machine, I favor the following
approach:
o ONE responsible, accountable administrator with root access
o No one else with a root account
For each delegated responsibility "x", follow this questioning,
in this order:
1. Can x be done by a normal user? (More often than not, the answer
is "yes", or "yes, with a few changes to ownerships and group
membership"). If yes, do it.
2. Can x be implemented securely by a standard root process (eg,
cron). If yes, do it.
3. Is there an alternative to x that does not require superuser
privs? (i.e., move things to SQL database, install a competing
version of the program, etc)
4. Ok, if x really requires root, can it be executed with sudo?
(I am not aware of very many things that can't be done with
sudo.. so the answer is probably "yes").
5. If all else fails, the single root user can do it. If it is
a sufficiently time consuming task, you'll be looking for ways
to do it in 1..4 pretty soon. :-)
Sometimes, you'll find tradeoffs, and the above, by far, isn't an
exact science, but as a general approach, it seems to work quite well
for myself and others. If you force yourself to consider option 1
before 2, etc, as opposed to being lazy and doing everything as root
(or, worse yet, handing out root passwords) you'll most often end up
with a more stable and secure system. Even if you don't need to
delegate any responsibilities, this is a good approach to follow, to
shield you from accidental root mishaps and the like.
To reuse a tired cliche, giving someone root access to perform two or
three tasks is like using a sledgehammer to crack a walnut. Seek
viable alternatives! :-)
- Ryan
--
Ryan Thompson <ryan@sasknow.com>
Network Administrator, Accounts
SaskNow Technologies - http://www.sasknow.com
#106-380 3120 8th St E - Saskatoon, SK - S7H 0W2
Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020107233232.O26769-100000>