On 8/16/2013 11:08 AM, berenger.mo...@neutralite.org wrote:


Le 16.08.2013 16:03, Jerry Stuckle a écrit :
On 8/16/2013 8:31 AM, berenger.mo...@neutralite.org wrote:
Le 15.08.2013 04:11, Richard Hector a écrit :
By using su, with root's password, that means everyone who has root has
full root and knows the same password, so that will have to be changed
if they are to be blocked, which means communicating the new
password to
all the required users.

I apologize, but I think that this statement about everyone with root
access having the same password is wrong.
You can just create an root account for every people with root access,
giving them the ID 0 and you will not need to communicate highly
sensitive passwords.


Which would be a major security risk.  You do NOT want a bunch of ids
with root privileges.  Nor do you want anyone but the system
administrator (and backup) to have full root access to the system.

Why would it be worse than a shared admin account? For the shared
account, I can easily understand why it's not something to do, but I can
not see the problem with multiple "root" accounts?
(I did not said that the admins should use them for daily tasks, just
that it was possible to use that to avoid changing a password when
someone lost his rights.)



It is that many more accounts with root access that can be broken into, and you have to protect against hackers.

You should only have two (in large shops maybe 3) people with full root access - that admin and his/her backup(s). Then you prevent 'root' from being logged into remotely. Finally, you give people with the need for *some* special access limited access to those resources.

It is far safer for those two or three who need root access to log in with their own id then su to get to root.

Please read up on system administration and linux security in general. Properly securing a system is a systematic process with lots of things to consider. It is not something you can learn in a few usenet messages.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/520e4a2e.9060...@attglobal.net

Reply via email to