Hi Martin, Wilde, Martin wrote
Hi Frank,
if your rootid user is managed on a per host basis I would not expect *technical* security traps. During logon the passwd file is checked, if there is a user named "rootid", then the crypted password is taken from the shadow file and if there is a match then the userid 0 (or any other id from the passwd file) is set. AFAIK: after login all programs just test the userid (0) to find out if you have root permissions. So everything should be fine except all commands that do an id-to-username translation (like id(1) e. g.).
right, so that's what I would expect. Actually, having "id" or "who am i" return "root" for the user rootid, is a good thing, so that even programs comparing e.g. `uid -un` to "root" won't fail to grant access...
other problems: As you are talking about "normal" users: I do not know if they *really* know what to do. So you usually need someone "trusted" that is aware of what is meant by "having root permissions" - e. g. what happens when he types "rm -rf .*" in some user directory.
Sure! There are trusted users, and only they know where to find the envelopes with the root passwords. So far, they would get the real root password, in future the will get the one for "rootid", for just the one simple reason that I don't have to change my root passwords that took me some time to learn ;-)
In case you are using NIS: Be aware that those users will have root permissions on *all* systems.
Yes, we use /etc/passwd files and have different classes of hosts with different passwd files and root passwords, so that should work fine!
Also keep in mind that this user has access to *all* files including documents from your genaral manager or the human ressources people!
Right, but that's ok. We are a chair at the university with 10 members, and we really (have to) trust our research assistants. They have physical access to their PCs and to the server room, so if we don't trust them in a certain sense, we can't work at all. In general, they don't have the root password, and if they need it during my holidays, I will be notified and tell the boss who took it and let him/her report what he/she did, and then change the root password again. If they want to steal some data or install a trap door, they would find other ways anyway (physical access to the server hosts...).
Be also sure, that the password for the rootid user is as strong as yours should be!
I will do so :-) Thanks! cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: -4054 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *