tech-userlevel: Re: Changing root's shell to /bin/sh

Subject: Re: Changing root's shell to /bin/sh
To: Soren S. Jorvang <soren@t.dk>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-userlevel
Date: 03/17/1999 21:09:52

>>>>> "Soren" == Soren S Jorvang <soren@t.dk> writes:
    Soren> As I see it, having [the ability to have] more than one
    Soren> user profile per uid is a hack/artifact of the way the
    Soren> traditional password database implementation and the world
    Soren> would be a simpler place without it.

    Soren> Having two root accounts is just asking for confusion.

  Okay, please contribute code to allow me to have multiple system(s) 
managers, each with a password that is useful in single user
mode. 
  Remember that I need at least two root passwords in many situations:
one for the engineer who's machine it is (and is permitted to do quite
a number of things), another for the system manager who comes to fix
it when the engineer occasionally screws things up. If you think
letting user's have root on the desktop screws up network security,
then I hope you have no PCs or Mac's on your network. 

  Aside from it being just bad password hygiene to share passwords, 
it is a total pain to change the root password on all machines when
someone leaves. (No, NIS doesn't help, since these are often local
passwords).

  Also remember that when one has more than 20 machines, if one
system administrator leaves, then you have a real tough job if you
have been sharing root passwords. 

    Soren> Also, while I think /bin/sh would be more suitable as the
    Soren> default root shell, a better generalization would perhaps
    Soren> be to have init make a relaxed attempt at finding root's
    Soren> shell from /etc/passwd and offer that when booting in
    Soren> single-user mode?

  Init *ASKS* what shell you want in single user mode.
  If anything, I'd like it to make sure to start the shell as a login
shell, possibly with HOME=/root if that directory exists. I don't
think this happens right now.

]                   At IETF44 in Minneapolis, MN                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [