[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Re: Root user



I think perhaps in this line of discussion, one must ask what the benefits
are for having two account names with the same userIDNumber, and what the
possible side effects of this action are.  Based on the answer to those
two questions, and the security requirements of the system in question you
can then take the appropriate action.

When administering Solaris systems prior to 5.7, I've found it convenient
to have a duplicate root user who's home directory and shell are different
from the default.  On systems running older or improperly configured
versions of sendmail for instance, this could have allowed security
compromises which would not have otherwise occurred.  However, Sun has
always said that you shouldn't change the login shell or home directory of
the user 'root'.  Indeed, earlier versions of Solaris did depend on 'root'
having a certain shell.

As my experience has grown I've discovered that this warning from Sun is
only in place to make it easier for their support technicians to
troubleshoot issues remotely.

Now then...  By default, failed login or su attempts to the 'root'
username are logged extensively, including sending a notification to any
users logged in with the userIDNumber of 0.  Other userNames whose
userIDNumber is 0 may not be logged in such a manner.  Perhaps we could
count this as reason number one, and depending upon the security
requirements of the system in question this alone could be enough.

On most systems, Authentication and Authorization are interlinked so
tightly that the distinction between the two becomes blurred.  You
authenticate based on your userName, principalName, etcetera.  You are
then counted by the operating system as Authorized for access to given
functionality usually according to your userIDNumber, which was derived
from your userName.  Only in the realm of new media (web applications) has
the userName taken precedence over the userIDNumber.

Further, we have the question of system accounting.  Most accounting
systems will take the first userName found with a given userIDNumber to be
the username of all actions performed by that userIDNumber.  For systems
requiring C2 level or above security, having two userNames with the same
userIDNumber immediately removes your clearance, as you cannot prove with
reasonable effort which userName was logged in as that userIDNumber.

So in conclusion, I will state that duplicate logins with differing
userNames are a bad idea in my opinion, dependant upon security and
accounting requirements.  I cannot state that I have not committed the sin
of having done so, but I stand by the conclusion.

In the instance of modern POSIX compliant systems running ssh, I can see
no true benefit to having a secondary root account.  I count Linux as a
modern POSIX compliant system.  Startup and shutdown scripts are not
dependant upon the user 'root's shell, nor are they dependant upon that
user's home directory.  Therefore, I can not see the benefit of copying
the root account's priveledges to another username under linux.  I can see
this need only for systems which are dependant upon the shell and/or home
directory of the 'root' userName.

<quote who="pinard@xxxxxxxxxxxxxxxx (François Pinard)">
> [Steffen Dettmer]
>
>> * Francois Pinard wrote on Wed, Jul 09, 2003 at 10:03 -0400:
>> > I once used to have a `root' and a `root2', both having uid 0 in
>> > `/etc/passwd', and I used this for quite a while, and do not remember
>> > any adverse effect.
>
>> What does this help?
>
> Someone wrote that this was not to be recommended, yet without giving real
> reasons against it.  I just wanted to say that any recommendation should
> be backed by some justification.  In my case, I had good reasons to use
> `root' and `root2', and saw nothing wrong with it for the time I needed
> it.
>
> So far in this thread, I did not see a convincing justification yet, for
> avoiding two accounts with the same UID.
>
>> It would be interesting to know, "what root" e.g. changed or created a
>> file, but as you stated, this is not possible this way.
>
> If there is indeed a need to know, then of course, having two accounts for
> the same UID is not acceptable.  That need does not necessarily exist.
>
>> I think this may introduce some confusion (without any positive effect I
>> can see) - which I would not recommend.
>
> Or maybe, it just does not introduce any confusion for those needing it.
>
>> Maybe this is a reason: KISS (keep it simple, stupid) is a little
>> violated by such a configuration (which I would call uncommon and
>> missleading, maybe).
>
> Uncommon, I agree.  But maybe not misleading at all.  I do not think that
> if someone knows what s/he is doing (and why!), there is a real problem.
>
> This thread is a bit amusing, as some correspondents try to guess "why",
> but do not necessarily guess correctly.  They then reply to their own
> guesses...


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here