From owner-freebsd-questions@FreeBSD.ORG Mon Dec 20 15:57:49 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B0F916A4DD for ; Mon, 20 Dec 2004 15:57:49 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B8DA43D2D for ; Mon, 20 Dec 2004 15:57:48 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [IPv6???1] (localhost.daemonsecurity.com [127.0.0.1]) by top.daemonsecurity.com (Postfix) with ESMTP id E3A37FD008; Mon, 20 Dec 2004 16:57:46 +0100 (CET) Message-ID: <41C6F670.7090602@locolomo.org> Date: Mon, 20 Dec 2004 16:57:36 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041114 X-Accept-Language: en, en-us, da, it, es MIME-Version: 1.0 To: Tom Vilot References: <41C6AC75.6020608@uol.com.br> <20041220120620.GA68520@duplo.dahoam> <20041220133252.GB7774@lb.tenfour> <20041220145227.GA24495@ei.bzerk.org> <41C6EE24.4080606@vilot.com> In-Reply-To: <41C6EE24.4080606@vilot.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Questions Subject: Re: bash - superuser X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2004 15:57:49 -0000 Tom Vilot wrote: >> Using a shell not contained in the root filesystem can cause problems >> even when not in single user mode. There are enough examples in the >> archives. > > Admittedly, I'm still a bit of a noob, but I can't stand any shell but > bash. Is it a big problem just to start bash once you've logged in? I had it like you untill I discovered just how cool csh manage your command history: Type the first letter and it will only go trough commands with that letter, type two ... yeah you guessed right. But I do like that bash shows me the options when autocomplete does not have a unique completion. If it really annoys you, you can go through scripting the login such that it will start bash if it exists and otherwise csh/sh whatever. It is doable, I had my login create a time stamp file and open an editor on logout to produce a cvs-sort-of-like history - why where you root? >> Just not for root. You should not even use the root account >> unless absolutely necessary. >> > Ya mean like ... > > ... editing /etc/rc.conf which you do only on new systems - about the first month of running. > ... installing a port or package > ... updating the ports tree and/or running portupgrade Have your ports tree writable by the staff/administrator group. When privileges needs to be elevated you are prompted for a password. > ... configuring the firewall Which you don't do on a daily basis. > ... backing up the file system Which is a cronjob. > ... checking /var/log files for attempts at cracking Consider setting the permisions for the group so wheel members have read permissions. > ... reading root's email You don't, just as you don't send email as root. root email should be forwarded to members of the wheel group, and a local copy only kept for reading when everything is down. Alternatively, with cyrus-imap you can share a common mail-box to specific users. I like this solution, as I can see if someone else had read the mail and hence assume they also took care of any problems. It is my experience that if mail is not forwarded the responsible will tend to forget to read it and problems may go unnoticed for days. > ... rsyncing to a remote server rsyncing what? do you allow remote root login on your servers? I don't have anything that needs rsync by root, but even when I did, it was a cronjob. Certainly, there are things that need to be done as root, but these are typically single commands. You don't need a permanent root shell. If you have a major task to do as root, go ahead startup bash - what's the big problem? Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2