Date: Thu, 10 Oct 2002 00:21:21 -0400 From: Bob Johnson <stest033@garbonzo.hos.ufl.edu> To: "Pranav A. Desai" <pdesai1@cs.uh.edu>, freebsd-questions@FreeBSD.ORG Subject: Re: How to create another account with root privileges ? Message-ID: <200210100021.21979.stest033@garbonzo.hos.ufl.edu> In-Reply-To: <Pine.GSO.4.33.0210091959180.670-100000@themis.cs.uh.edu> References: <Pine.GSO.4.33.0210091959180.670-100000@themis.cs.uh.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 09 October 2002 09:02 pm, Pranav A. Desai appears to have wr= itten: > Hi! > I have been asked to create admin accounts for a machine such that > all of them can access that machine as root but with different > username and password. > In many environments, this is reasonable. Sometimes you have=20 more than one person who is must have full administrative rights,=20 unless you plan to have your one administrator be on 24/7 call. It is=20 good policy to prohibit anyone, even administrators, from sharing=20 accounts, so you give each admin their own account. Of course, if=20 they only need limited admin rights, then sudo is probably a better=20 solution. Talk to your customer and find out what they are really trying= =20 to accomplish. The "toor" account is an example of exactly what you want, although=20 by default it is disabled (by an invalid password field). To create a=20 similar account, use "vipw" to edit the password file. Copy the root ent= ry,=20 but give each person their own name and the shell of their choice (the=20 shell must be in /etc/shells). =20 Leave everything else the same as for root. If you copy the password=20 field from the root account, then the new admin account will have the=20 same password, which should be changed by the user of the account. =20 Also, never change the shell for root. It needs to be as it is for some=20 things to work right. That's why the toor account exists: so you can=20 set up an admin account with your choice of shell. The big disadvantage of this is that if you have three admin accounts,=20 an attacker has three times greater chance of cracking the root=20 password if they get their hands on your password file. Stress to the=20 admins that it is critical that they use strong passwords on the admin=20 accounts. A good way to create a strong password is to come up=20 with a sentence of 8 or more words known only to yourself (i.e. NOT=20 a well known phrase), and take the first letter of each word to form an=20 acronym. Throw in some strange capitalization and a few special=20 characters for best effect. For example, the phrase might be=20 "my mother dances with bears (in the moonlight)", which gives me a=20 password of "mMdwb(itm)". If the phrase used is widely known, this=20 method becomes as easy to crack as single words of the same length,=20 but if you use unique phrases the resulting passwords are very good. Sure, the admins can do bad things and cover their tracks if they put=20 enough effort into it, but they can do that if they share a single admin=20 account, also. Hope that helps. - Bob > Thanks > > -pranav > > ******************************************************************* > Pranav A. Desai > > Home :- (937) 294 1381 > ******************************************************************* > > On 9 Oct 2002, Kirk Strauser wrote: > > At 2002-10-09T17:36:02Z, "Pranav A. Desai" <pdesai1@cs.uh.edu> writes= : > > > How can I create a user account that can function like a root > > > account with the same prilieges ? I need to create three such > > > account. Is it possible ? > > > > Short answer: you probably don't really want to do this. What > > problem are you needing to solve by having multiple root accounts? > > -- > > Kirk Strauser > > In Googlis non est, ergo non est. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210100021.21979.stest033>