Why not just give that user sudo? Then you can see how they fix/break it worse, and if they have to become root they can just sudo su -? -----Original Message----- From: Frank Steiner [mailto:fsteiner-mail@bio.ifi.lmu.de] Sent: Friday, March 11, 2005 4:10 PM To: Mike Tierney Cc: 'miguel gmail'; 'SuSE Securitylist' Subject: Re: [suse-security] Problem with second user with uid 0? Mike Tierney wrote
If anyone is *REALLY* determined they can
1) Cut the padlock 2) Pop the case and clear the BIOS password via jumpers
Right. So whenever a user has physcial access to the hardware, you can't do much to prevent him from hacking into the system. And a user who should recover a broken system when I'm off, should have access to the server he needs to recover, so... I think the question here is: How easy should it be for someone to get root access? If users know the root password by default, they tend to use it from time to time "to do a little fix or install a little program because the admin has already gone home...", and that's what we don't want. In case sth. breaks while I'm not in the office, a pre-selected user opens a sealed envelope. I see this when I'm back and change the password again to avoid this user doing "a little fix or..." :-) Because this user must have a key to the server room, I must trust him that he does not open the server and resets the bios to break in. And if I trust him this way, I can also trust him that he does not install a backdoor after opening the envelope and working as root to fix the server. That's the deal. Nothing more. And all I want to reach is to give this user a different root password than my usual root password, so that I don't have to change mine after the envelope was opened.
3) Change the BIOS back to booting from CDROM and pop in a boot disk 4) Not sure how they'd deal with the encrypted disks! Maybe get a job as a cleaner and install a keystroke logger on the keyboard a few weeks beforehand...?
So all of a sudden leaving the root password in a sealed envelope that's stored in a locked filing cabinent doesn't sound so bad after all!!!!
Especially not for a chair with 10 people where we all know each other very well and everyone knows where to get the key to enter the server room :-) -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: -4054 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. * -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here