On Wed, Mar 17, 1999 at 11:19:50AM -0800, Bill Studenmund wrote:
> On 17 Mar 1999, Chris Jones wrote:
> 
> > >>>>> "Greg" == Greg A Woods <woods@most.weird.com> writes:
> > 
> > On Tuesday, March 16, 1999 at 23:18:10 (-0800), Jason Thorpe wrote:
> > >> That's absolutely silly, hacking the security script for toor.
> > 
> > Greg> I'll say, and I'll even go further than that: it's a blatant
> > Greg> compromise of the security checks to make an exception for
> > Greg> "toor".
> 
> Dudes, we've been considering toor a root account since 1.0! The test (on
> line 93 of $NetBSD: security,v 1.36$ which ignores toor (and root) when it
> finds logins with uid 0 appeared in version 1.9 of the file, which shipped
> with NetBSD 1.0.
> 
> All that's happened in the past few days is that I've changed a check a
> few lines down to also not bitch about toor, and we've told everyone this
> special case is present. :-)
> 
> > Yep.  But there seems to be a demand for making the exception for
> > toor.  I've also heard people say that they should be able to make
> > exceptions for other UID-0 users.
> 
> Right. That's why I put toor back, so that there'd be an example of how to
> do this if a site wants to.
> 
> > Maybe, if we decide that the exception needs to be there, it should be
> > in the form of a DUP_UID_EXCEPTIONS="toor" variable in
> > /etc/security.conf.  Or something similarly configurable.  That way,
> > if we ship a system without toor, that variable is set to an empty
> > list -- if somebody adds a toor to my system, I get warned about it.
> > But the people who have 5 different UID-0 accounts can add all of them
> > to the list of exceptions, and they won't get the "little boy who
> > cried wolf" symptoms.
> 
> I think this change is the cleanest. Sicen I didn't know how to do it, I
> made the change the way I did. toor appears in two tests, the duplicate id
> test, and the uid 0 test. So we should have two variables:
> VALID_DUP_UIDS and VALID_ROOT_UIDS (so you could have multiple uid 10
> accounts if you wished).

The script should complain if an account is listed in VALID_DUP_UIDS or
VALID_ROOT_UIDS but isn't in the password file.

Why?  So if you delete the account, you have a reminder to remove it from
the list that the security script uses.  That way, if it mysteriously
shows up again, the fact that the system shipped with an exception for
it in the security script won't cause you to not receive notice...!

I think what you propose, plus this, pretty much addresses all concerns
about the "toor" account *and* provides useful new flexibility.
  
-- 
Thor Lancelot Simon	                                      tls@rek.tjls.com
	"And where do all these highways go, now that we are free?"