[ On Fri, March 7, 1997 at 06:51:51 (+0200), Jukka Marin wrote: ]
> Subject: Re: getpwent(3) funcs return static structure
>
> It would be nice to be able to have multiple superuser accounts without
> the system getting confused.  This would help where several people maintain
> the same machines.  We're using root and toor now, and some program's can't
> tell the difference..

Multiple accounts with uid==0 in the password file are a bad idea, from
a security perspective.  They increase the risk of a successful root
attack quite a bit (by an order of N^2 possibly?).

Nobody should ever login directly as root either, unless these logins
are restricted to secure terminals and you can verify who accessed the
terminal via something like an audit trail from the machine room lock.

So, taken together this implies that every user who admins the machine
and deserves full uid==0 priviledges for these tasks should know the
root password and should 'su' after logging in to their own account, and
of course they should never type the root password over an insecure
channel.

If your reason for using multiple root accounts is that you don't want
too many people to know the root password, then you're sorely mistaken
as to the risk level.

A possible risk reducer would be to modify 'su' to use one-time
passwords verified by a separate piece of hardware (in addition to using
a secure channel such as a careful implementation of ssh, or a secure
hardware terminal connection, for all admin activities).

This is not to say that programs shouldn't be able to tell the
difference between login user-id and uid....  There can be some
justification for using multiple user-id's with the same uid in some
specialized applications.

-- 
							Greg A. Woods

+1 416 443-1734			VE3TCP			robohack!woods
Planix, Inc. <woods@planix.com>; Secrets Of The Weird <woods@weird.com>