From owner-freebsd-questions Thu Oct 10 18: 2:20 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F349B37B401 for ; Thu, 10 Oct 2002 18:02:16 -0700 (PDT) Received: from smtp.ufl.edu (sp16en1.nerdc.ufl.edu [128.227.74.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1390443EB1 for ; Thu, 10 Oct 2002 18:02:16 -0700 (PDT) (envelope-from stest033@garbonzo.hos.ufl.edu) Received: from bobj.dyndns.org (cpe-gan-68-101-90-216-cmcpe.ncf.coxexpress.com [68.101.90.216]) (authenticated bits=0) by smtp.ufl.edu (8.12.6/8.12.6/2.4.0) with ESMTP id g9B12Asw155010 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Thu, 10 Oct 2002 21:02:11 -0400 Content-Type: text/plain; charset="iso-8859-1" From: Bob Johnson To: Peter Leftwich , FreeBSD LIST Subject: Re: How to create another account with root privileges ? Date: Thu, 10 Oct 2002 21:01:51 -0400 X-Mailer: KMail [version 1.4] References: <20021010003307.C41584-100000@earl-grey.cloud9.net> In-Reply-To: <20021010003307.C41584-100000@earl-grey.cloud9.net> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200210102101.52099.stest033@garbonzo.hos.ufl.edu> X-Scanned-By: NERDC Open Systems Group (http://open-systems.ufl.edu/services/virus-scan/) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thursday 10 October 2002 12:38 am, Peter Leftwich appears to have=20 written: > On Thu, 10 Oct 2002, Bob Johnson wrote: > > On Wednesday 09 October 2002 09:02 pm, Pranav A. Desai appears to=20 have written: > > > Hi! I have been asked to create admin accounts for a machine such > > > that all of them can access that machine as root but with > > > different username and password. > > > > In many environments, this is reasonable. Sometimes you have > > more than one person who is must have full administrative rights, > > unless you plan to have your one administrator be on 24/7 call. It > > is good policy to prohibit anyone, even administrators, from > > sharing accounts, so you give each admin their own account. Of > > course, if they only need limited admin rights, then sudo is > > probably a better solution. Talk to your customer and find out > > what they are really trying to accomplish. > > man su > Yes, most facilities have admins login with their personal accounts=20 and then su to root. It is the traditional way, but doesn't answer the=20 original question. There is something to be said for being able to=20 instantly change the root password without having to propagate a new=20 password to the other admins who may be off duty, on vacation, or=20 whatever. E.G., what happens if an admin screws up and reveals their=20 password to the world? No, it isn't a perfect system, but I think the=20 advantages outweigh the disadvantages. My feelings won't be hurt if=20 someone points out that I missed something obviously wrong with this. I've also found it difficult to keep some admins from logging in at=20 the console as root (because it's "too hard" to log in as a user and=20 then su to root, and besides, that's how they've always done it). You=20 can't (or at least you probably don't want to) disable console logins=20 by admin accounts, so the next best thing is to give each admin their=20 own account and don't tell them the root password. The point here=20 isn't to keep a dishonest admin from hiding their tracks (it takes a=20 lot more effort to do that, if you can do it at all), but to keep the=20 lazy admins honest. In my case it is actually site policy (created with no particular=20 operating system in mind) that no two users, even admins, may share an=20 account unless absolutely necessary. I went ahead and set up to comply=20 with the policy since I couldn't think of a reason not to, and I also=20 agree that it is good policy. We are trying to get people out of the=20 habit of casually sharing passwords. In any case, it's a tool that may be useful in some situations.=20 > > The "toor" account is an example of exactly what you want, although > > by default it is disabled (by an invalid password field). To > > create a similar account, use "vipw" to edit the password file.=20 > > Copy the root entry, but give each person their own name and the > > shell of their choice (the shell must be in /etc/shells). > > What -is- that toor (root backwards) account for anyways?? > The toor account was originally an admin account with the bash shell. =20 root used sh. You do not (or did not at that time) want to set the root=20 shell to be bash, it causes a bunch of not immediately obvious=20 problems, so the toor account was created for those who like bash. It took a few iterations to find the various utilities confused by=20 multiple root accounts and fix them. > Is there a command similar to vipw that uses a simpler editor, like > pico? > No but you can change the default editor that vipw uses by=20 setting the EDITOR variable. =20 > > Leave everything else the same as for root. If you copy the > > password field from the root account, then the new admin account > > will have the same password, which should be changed by the user of > > the account. Also, never change the shell for root. It needs to be > > as it is for some things to work right. That's why the toor > > account exists: so you can set up an admin account with your choice > > of shell. > > I always log in 100% of the time to my box as root and my shell is > tcsh > That is generally considered to be a really bad thing. If you screw=20 up and issue a highly destructive command, nothing stops root=20 from destroying your entire system. If some attacker manages to=20 gain access to your account, they own the entire system if your=20 account is root. > Does it matter that (I think) I changed the shell for root? > It can. If the shell you selected is not in /bin, or it needs libraries=20 that are not in /bin, you may find it difficult to fix problems that=20 require you to interrupt a boot before all the drives are mounted. =20 Thus, since bash is not in /bin, you want to create a second admin=20 account (toor) if you happen to want to use bash as your admin shell. =20 If it happens that that is no longer necessary, well, at least now you=20 know the historical reason. There used to be problems with some boot-time scripts not=20 executing properly if the root shell wasn't sufficiently similar=20 to sh, but I _think_ that's cleaned up now so that they all run=20 in an explicitly specified shell. [...remainder deleted...] - Bob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message