Subject: Re: getpwent(3) funcs return static structure
To: woods@web.net (Greg A. Woods), Jukka Marin <jmarin@pyy.jmp.fi>
From: Robert Black <r.black@ic.ac.uk>
List: current-users
Date: 03/13/1997 16:45:18
On Mar 13, 10:47am, Greg A. Woods wrote:
> Subject: Re: getpwent(3) funcs return static structure
> [ On Fri, March 7, 1997 at 06:51:51 (+0200), Jukka Marin wrote: ]
> > Subject: Re: getpwent(3) funcs return static structure
> >
> > It would be nice to be able to have multiple superuser accounts without
> > the system getting confused.  This would help where several people maintain
> > the same machines.  We're using root and toor now, and some program's can't
> > tell the difference..
>
> Multiple accounts with uid==0 in the password file are a bad idea, from
> a security perspective.  They increase the risk of a successful root
> attack quite a bit (by an order of N^2 possibly?).

Well, yes *if* your main risk is a brute-force attack. There are circumstances
under which it can reduce the risk (see below).

> Nobody should ever login directly as root either, unless these logins
> are restricted to secure terminals and you can verify who accessed the
> terminal via something like an audit trail from the machine room lock.
>
> So, taken together this implies that every user who admins the machine
> and deserves full uid==0 priviledges for these tasks should know the
> root password and should 'su' after logging in to their own account, and
> of course they should never type the root password over an insecure
> channel.

Fair enough.

> If your reason for using multiple root accounts is that you don't want
> too many people to know the root password, then you're sorely mistaken
> as to the risk level.

Not necessarily. One circumstance under which I think this is very useful is
when you have an outside contactor who needs temporary root access. My
inclination would be to create an alternative uid==0 account with a short
expiry for the duration of their needing root access, given that they might do
things like writing the root password on a bit of paper in their wallet (or
anything else likely to have been drummed out of the heads of normal employee
sysadmins). The temporarily increased risk is far outweighed by the decreased
risk to the *real* root account.

> A possible risk reducer would be to modify 'su' to use one-time
> passwords verified by a separate piece of hardware (in addition to using
> a secure channel such as a careful implementation of ssh, or a secure
> hardware terminal connection, for all admin activities).

Well, yes, if you can afford it.

> This is not to say that programs shouldn't be able to tell the
> difference between login user-id and uid....  There can be some
> justification for using multiple user-id's with the same uid in some
> specialized applications.

Cheers

Rob Black