Date: Tue, 16 Dec 2008 09:10:11 +1000 From: Da Rock <rock_on_the_web@comcen.com.au> To: freebsd-questions@freebsd.org Subject: Re: Firebird client fails port install Message-ID: <1229382617.1647.88.camel@laptop2.herveybayaustralia.com.au> In-Reply-To: <20081215234604.R56683@wojtek.tensor.gdynia.pl> References: <1229202715.18610.5.camel@laptop2.herveybayaustralia.com.au> <443agpp78i.fsf@be-well.ilk.org> <1229373442.1647.57.camel@laptop2.herveybayaustralia.com.au> <44tz95noyd.fsf@be-well.ilk.org> <1229375416.1647.63.camel@laptop2.herveybayaustralia.com.au> <4946D0CD.4040805@msen.com> <1229380311.1647.74.camel@laptop2.herveybayaustralia.com.au> <20081215234604.R56683@wojtek.tensor.gdynia.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2008-12-15 at 23:46 +0100, Wojciech Puchar wrote: > > As a matter of fact I never use true root I ALWAYS use su (believe it or > > what's a practical difference between logging to root directly or doing > su? The log files log exactly "who" did what instead of anonymously. At the least they show who had su'd to root and when, but from my experience it says the user and what was done. Incidentally, I first heard of this practice through my MCSE (where basically M$ NT was bagged as the worst system ever- strange wouldn't you say seeing as it was an M$ course?), but the practice has been in use for years by old school *nix administrators and has been a specified as "best practice". Just read nearly any *nix manual or tutorial. Why do you think the sysinstall for freebsd and just about every *nix distro says to create a user account so you don't use root? It also sometimes states to use su to gain root privileges in the warning message. It actually frightens me how many new administrators don't bother with following this policy- even ISPs. It helps with forensic analysis, and if you suddenly find root doing stuff in your logs (if you follow the best practice methods) then you know it wasn't you or anybody authorised. If anybody here can tell me how to enforce this policy in practice I'd be very interested to hear it (although I doubt one could prevent console access to root ICE). Maybe a method to obtain the user's name or soemthing. I think it can only be enforced in policy and not practice, though.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1229382617.1647.88.camel>