Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Oct 2002 21:01:51 -0400
From:      Bob Johnson <stest033@garbonzo.hos.ufl.edu>
To:        Peter Leftwich <Hostmaster@Video2Video.Com>, FreeBSD LIST <FreeBSD-Questions@FreeBSD.Org>
Subject:   Re: How to create another account with root privileges ?
Message-ID:  <200210102101.52099.stest033@garbonzo.hos.ufl.edu>
In-Reply-To: <20021010003307.C41584-100000@earl-grey.cloud9.net>
References:  <20021010003307.C41584-100000@earl-grey.cloud9.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 10 October 2002 12:38 am, Peter Leftwich appears to have=20
written:
> On Thu, 10 Oct 2002, Bob Johnson wrote:
> > On Wednesday 09 October 2002 09:02 pm, Pranav A. Desai appears to=20
have written:
> > > Hi! I have been asked to create admin accounts for a machine such
> > > that all of them can access that machine as root but with
> > > different username and password.
> >
> > In many environments, this is reasonable.  Sometimes you have
> > more than one person who is must have full administrative rights,
> > unless you plan to have your one administrator be on 24/7 call.  It
> > is good policy to prohibit anyone, even administrators, from
> > sharing accounts, so you give each admin their own account.  Of
> > course, if they only need limited admin rights, then sudo is
> > probably a better solution.  Talk to your customer and find out
> > what they are really trying to accomplish.
>
> man su
>

Yes, most facilities have admins login with their personal accounts=20
and then su to root.  It is the traditional way, but doesn't answer the=20
original question.  There is something to be said for being able to=20
instantly change the root password without having to propagate a new=20
password to the other admins who may be off duty, on vacation, or=20
whatever.  E.G., what happens if an admin screws up and reveals their=20
password to the world?  No, it isn't a perfect system, but I think the=20
advantages outweigh the disadvantages.  My feelings won't be hurt if=20
someone points out that I missed something obviously wrong with this.

I've also found it difficult to keep some admins from logging in at=20
the console as root (because it's "too hard" to log in as a user and=20
then su to root, and besides, that's how they've always done it).  You=20
can't (or at least you probably don't want to) disable console logins=20
by admin accounts, so the next best thing is to give each admin their=20
own account and don't tell them the root password.  The point here=20
isn't to keep a dishonest admin from hiding their tracks (it takes a=20
lot more effort to do that, if you can do it at all), but to keep the=20
lazy admins honest.

In my case it is actually site policy (created with no particular=20
operating system in mind) that no two users, even admins, may share an=20
account unless absolutely necessary.  I went ahead and set up to comply=20
with the policy since I couldn't think of a reason not to, and I also=20
agree that it is good policy.  We are trying to get people out of the=20
habit of casually sharing passwords.

In any case, it's a tool that may be useful in some situations.=20

> > The "toor" account is an example of exactly what you want, although
> > by default it is disabled (by an invalid password field).  To
> > create a similar account, use "vipw" to edit the password file.=20
> > Copy the root entry, but give each person their own name and the
> > shell of their choice (the shell must be in /etc/shells).
>
> What -is- that toor (root backwards) account for anyways??
>

The toor account was originally an admin account with the bash shell. =20
root used sh.  You do not (or did not at that time) want to set the root=20
shell to be bash, it causes a bunch of not immediately obvious=20
problems, so the toor account was created for those who like bash.
It took a few iterations to find the various utilities confused by=20
multiple root accounts and fix them.

> Is there a command similar to vipw that uses a simpler editor, like
> pico?
>

No but you can change the default editor that vipw uses by=20
setting the EDITOR variable. =20

> > Leave everything else the same as for root.  If you copy the
> > password field from the root account, then the new admin account
> > will have the same password, which should be changed by the user of
> > the account. Also, never change the shell for root.  It needs to be
> > as it is for some things to work right.  That's why the toor
> > account exists: so you can set up an admin account with your choice
> > of shell.
>
> I always log in 100% of the time to my box as root and my shell is
> tcsh
>

That is generally considered to be a really bad thing.  If you screw=20
up and issue a highly destructive command, nothing stops root=20
from destroying your entire system.  If some attacker manages to=20
gain access to your account, they own the entire system if your=20
account is root.

> Does it matter that (I think) I changed the shell for root?
>

It can.  If the shell you selected is not in /bin, or it needs libraries=20
that are not in /bin, you may find it difficult to fix problems that=20
require you to interrupt a boot before all the drives are mounted. =20
Thus, since bash is not in /bin, you want to create a second admin=20
account (toor) if you happen to want to use bash as your admin shell. =20
If it happens that that is no longer necessary, well, at least now you=20
know the historical reason.

There used to be problems with some boot-time scripts not=20
executing properly if the root shell wasn't sufficiently similar=20
to sh, but I _think_ that's cleaned up now so that they all run=20
in an explicitly specified shell.


[...remainder deleted...]

- Bob


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210102101.52099.stest033>