RE: [suse-security] Problem with second user with uid 0?
Hi Frank, if your rootid user is managed on a per host basis I would not expect *technical* security traps. During logon the passwd file is checked, if there is a user named "rootid", then the crypted password is taken from the shadow file and if there is a match then the userid 0 (or any other id from the passwd file) is set. AFAIK: after login all programs just test the userid (0) to find out if you have root permissions. So everything should be fine except all commands that do an id-to-username translation (like id(1) e. g.). other problems: As you are talking about "normal" users: I do not know if they *really* know what to do. So you usually need someone "trusted" that is aware of what is meant by "having root permissions" - e. g. what happens when he types "rm -rf .*" in some user directory. In case you are using NIS: Be aware that those users will have root permissions on *all* systems. Also keep in mind that this user has access to *all* files including documents from your genaral manager or the human ressources people! Be also sure, that the password for the rootid user is as strong as yours should be! Martin -----Original Message----- From: Frank Steiner [mailto:fsteiner-mail@bio.ifi.lmu.de] Sent: Thursday, March 10, 2005 10:53 AM To: SuSE Securitylist Subject: [suse-security] Problem with second user with uid 0? Hi, are there any security (or other) problems when having a second user with uid 0? We would like to mainain a user "rootid" which has uid 0 and should be used for normal users logging in as root when the admin (me) is e.g. on holidays and sth. fails and needs to be repaired. For this, we have sealed envelopes with the root passwords which some users can open to get the password (the boss wants it like that). To avoid changing "my" root password afterwards, users should get the password for "rootid" and work with that account. After my return, I would just have to change the rootid password and could still work with my normal root password. "sudo" etc. is not a real solution, because users might need to login during boot when fsck fails. And then you need a root password and no sudo etc. Are there any problem with such a setup? Of course the rootid account must be protected the same way the root account is. In a first test, I could do anything with the rootid user, but I'm not sure if there are any security traps that I don't recognize... cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: -4054 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. * -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi Martin, Wilde, Martin wrote
Hi Frank,
if your rootid user is managed on a per host basis I would not expect *technical* security traps. During logon the passwd file is checked, if there is a user named "rootid", then the crypted password is taken from the shadow file and if there is a match then the userid 0 (or any other id from the passwd file) is set. AFAIK: after login all programs just test the userid (0) to find out if you have root permissions. So everything should be fine except all commands that do an id-to-username translation (like id(1) e. g.).
right, so that's what I would expect. Actually, having "id" or "who am i" return "root" for the user rootid, is a good thing, so that even programs comparing e.g. `uid -un` to "root" won't fail to grant access...
other problems: As you are talking about "normal" users: I do not know if they *really* know what to do. So you usually need someone "trusted" that is aware of what is meant by "having root permissions" - e. g. what happens when he types "rm -rf .*" in some user directory.
Sure! There are trusted users, and only they know where to find the envelopes with the root passwords. So far, they would get the real root password, in future the will get the one for "rootid", for just the one simple reason that I don't have to change my root passwords that took me some time to learn ;-)
In case you are using NIS: Be aware that those users will have root permissions on *all* systems.
Yes, we use /etc/passwd files and have different classes of hosts with different passwd files and root passwords, so that should work fine!
Also keep in mind that this user has access to *all* files including documents from your genaral manager or the human ressources people!
Right, but that's ok. We are a chair at the university with 10 members, and we really (have to) trust our research assistants. They have physical access to their PCs and to the server room, so if we don't trust them in a certain sense, we can't work at all. In general, they don't have the root password, and if they need it during my holidays, I will be notified and tell the boss who took it and let him/her report what he/she did, and then change the root password again. If they want to steal some data or install a trap door, they would find other ways anyway (physical access to the server hosts...).
Be also sure, that the password for the rootid user is as strong as yours should be!
I will do so :-) Thanks! cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: -4054 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *
participants (2)
-
Frank Steiner -
Wilde, Martin