On Fri, Mar 12, 1999 at 01:28:13PM -0700, Michael K. Sanders wrote:
> In message <19990312205357.A287@skiff.babafou.eu.org>, Marc Baudoin writes:
> >Richard Rauch <rauch@eecs.ukans.edu> écrit :
> >> When I installed my system, there were two UID 0 accounts: root and toor.
> >> 
> >> Is there a reason to include both?
> >
> >No, there's not.  As a security principle, you should restrict
> >uid 0 accounts to one: root.  If you need several people to be
> >given root privileges, give them the root password or use a tool
> >such as sudo that can also control what commands they can access
> >(everybody doesn't need a root shell).
> 
> There _is_ a valid reason for 'toor', though.  It can be useful to
> have a backup root account with '/bin/sh' as the shell, especially if
> you've changed root's shell to something that is not statically linked
> and/or not on the root filesystem.

Actually I routinely remove toor whenever I make a fresh install
of NetBSD.

If fact I have a strong feeling that it is -plain wrong- to ship
NetBSD with a /etc/passwd that triggers the /etc/security script
unconditionally after a clean installation as is the current
situation :-(

If people (like myself) change root's login shell to something
that requires /usr to be mounted (like a dynamically linked
bash), it is our own problem, and if we are not capable of
starting the machine in single-user mode and use /bin/sh, we
should probably not be fiddling with root's shell anyway.

My recommendation: remove toor from the distributed system.

regards
Erik Bertelsen