Subject: Re: Root, toor accounts.
To: Michael K. Sanders <msanders@confusion.net>
From: Erik Bertelsen <erik@mediator.uni-c.dk>
List: netbsd-users
Date: 03/13/1999 06:26:57
On Fri, Mar 12, 1999 at 01:28:13PM -0700, Michael K. Sanders wrote:
> In message <19990312205357.A287@skiff.babafou.eu.org>, Marc Baudoin writes:
> >Richard Rauch <rauch@eecs.ukans.edu> écrit :
> >> When I installed my system, there were two UID 0 accounts: root and toor.
> >>
> >> Is there a reason to include both?
> >
> >No, there's not. As a security principle, you should restrict
> >uid 0 accounts to one: root. If you need several people to be
> >given root privileges, give them the root password or use a tool
> >such as sudo that can also control what commands they can access
> >(everybody doesn't need a root shell).
>
> There _is_ a valid reason for 'toor', though. It can be useful to
> have a backup root account with '/bin/sh' as the shell, especially if
> you've changed root's shell to something that is not statically linked
> and/or not on the root filesystem.
Actually I routinely remove toor whenever I make a fresh install
of NetBSD.
If fact I have a strong feeling that it is -plain wrong- to ship
NetBSD with a /etc/passwd that triggers the /etc/security script
unconditionally after a clean installation as is the current
situation :-(
If people (like myself) change root's login shell to something
that requires /usr to be mounted (like a dynamically linked
bash), it is our own problem, and if we are not capable of
starting the machine in single-user mode and use /bin/sh, we
should probably not be fiddling with root's shell anyway.
My recommendation: remove toor from the distributed system.
regards
Erik Bertelsen