Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] Problem with second user with uid 0?
  • From: Rikard Johnels <rikjoh@xxxxxxxxx>
  • Date: Thu, 10 Mar 2005 14:26:58 +0100
  • Message-id: <200503101427.00183.rikjoh@xxxxxxxxx>
On Thursday 10 March 2005 13.57, E. Oosterhuis wrote:
> Hi,
>
> If your system boots with an initrd (check this in /boot/grub/menu.lst) a
> "new" root account does not work. Your college will need the password
> stored in the initrd. ( If fsck checkes / )
>
> Enno
>
> On Thursday 10 March 2005 10:52, Frank Steiner wrote:
> > Hi,
> >
> > are there any security (or other) problems when having a second user
> > with uid 0?
> > We would like to mainain a user "rootid" which has uid 0 and should
> > be used for normal users logging in as root when the admin (me) is
> > e.g. on holidays and sth. fails and needs to be repaired. For this,
> > we have sealed envelopes with the root passwords which some users
> > can open to get the password (the boss wants it like that).
> >
> > To avoid changing "my" root password afterwards, users should get the
> > password for "rootid" and work with that account. After my return,
> > I would just have to change the rootid password and could still work
> > with my normal root password. "sudo" etc. is not a real solution,
> > because users might need to login during boot when fsck fails. And
> > then you need a root password and no sudo etc.
> >
> > Are there any problem with such a setup? Of course the rootid account
> > must be protected the same way the root account is.
> >
> > In a first test, I could do anything with the rootid user, but I'm not
> > sure if there are any security traps that I don't recognize...
> >
> > cu,
> > Frank
> >
> >
> > --
> > Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/
> > Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/
> > LMU, Amalienstr 17 Phone: +49 89 2180-4049
> > 80333 Muenchen, Germany Fax: -4054
> > * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *
>
> --
> Groeten van
>
> Enno Oosterhuis
>
> e.oosterhuis@xxxxxxxxxxxxxx

Wont the "second" root be able to reset ordinary roots password?
Or add a "backdoor" on the system?
Malicious code can easily be installed once logged in as uid 0.
"I'll just up my pesonal powers a wee bit" is always the most dangerous thing.

--

/Rikard

---------------------------------------------------------------
Rikard Johnels email : rikjoh@xxxxxxxxx
Web : http://www.rikjoh.com/users/rikjoh
Mob : +46 735 05 51 01
PGP : 0x461CEE56
---------------------------------------------------------------

< Previous Next >
Follow Ups