From owner-freebsd-security Tue Jul 25 23:42:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from merlin.prod.itd.earthlink.net (merlin.prod.itd.earthlink.net [207.217.120.156]) by hub.freebsd.org (Postfix) with ESMTP id CA72B37B697 for ; Tue, 25 Jul 2000 23:42:26 -0700 (PDT) (envelope-from cjc@pool0327.cvx20-bradley.dialup.earthlink.net) Received: from pool0327.cvx20-bradley.dialup.earthlink.net (pool0327.cvx20-bradley.dialup.earthlink.net [209.179.251.72]) by merlin.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id XAA13298; Tue, 25 Jul 2000 23:41:01 -0700 (PDT) Received: (from cjc@localhost) by pool0087.cvx20-bradley.dialup.earthlink.net (8.9.3/8.9.3) id XAA00954; Tue, 25 Jul 2000 23:32:10 -0700 (PDT) Date: Tue, 25 Jul 2000 23:32:09 -0700 From: "Crist J. Clark" To: Bart van Leeuwen Cc: James Wyatt , Jean-Claude STAQUET , freebsd-security@FreeBSD.ORG Subject: Re: allow access of root user Message-ID: <20000725233208.A307@pool0460.cvx20-bradley.dialup.e> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from bart@ixori.demon.nl on Tue, Jul 25, 2000 at 04:41:03PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jul 25, 2000 at 04:41:03PM +0200, Bart van Leeuwen wrote: > Uhm, telnetting in as a user and suing to root has exactly the same > danger, your password goes over the net in plaintext. > > If you want to prevent that consider using ssh instead. > Also note that when using rsh you prevent root from logging in for > interactive access, but an rsh -l root will still > work. > > To be honest, I never really saw the point of disallowing this except for > the simple good habit of never using the root account at all, and only > becomming superuser when you really really have to. Two words: Audit trail. Since so many academic and business machines have multiple administrators, i.e. multiple people who own root, knowing _who_ is actually root is vital for a number of reasons. Direct console logins by root should be discouraged on such machines as well. (When I hear about people leaving root logged in at a console with a GUI waiting to be exploited. "But I locked the screensaver!" Ahhh!) -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message