>> It would be nice to be able to have multiple superuser accounts
>> without the system getting confused.

[a sentiment with which I agree wholeheartedly; it is far too hard to
have multiple users with the same uid, and the current paradigm for
super-users means that that is the only way to have multiple
super-users.]

> Multiple accounts with uid==0 in the password file are a bad idea,
> from a security perspective.  [...]

True, to an extent.  They increase risk.  The increased risk is an
acceptable tradeoff for the benefit, to many admins.

> Nobody should ever login directly as root either, unless [...]

Yeah, and nobody should have physical access, and there shouldn't even
_be_ a super-user, and lots of other things.

All of these dicta are true in that they increase security when
implemented.

Each one also carries a price (usually in convenience for legitimate
users) when implemented.

For many admins, the tradeoff is worth it.  The point from NetBSD's
perspective is that it is not reasonable for NetBSD to force certain of
these choices on admins.  In particular, it is not reasonable to impose
the requirement that the username->uid mapping be one-to-one,
regardless of whether the uid is zero or not.

> If your reason for using multiple root accounts is that you don't
> want too many people to know the root password, then you're sorely
> mistaken as to the risk level.

I'm not convinced.  It depends on where the risk is, and that's a
site-specific judgement call.

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B