Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] Problem with second user with uid 0?
  • From: jfweber@xxxxxxxxxxxxx
  • Date: Thu, 10 Mar 2005 03:17:38 -0500
  • Message-id: <200503100317.39009.jfweber@xxxxxxxxxxxxx>
On Thursday 10 March 2005 4:52 am, Frank Steiner wrote:
> Hi,
>
> are there any security (or other) problems when having a second user
> with uid 0?
> We would like to mainain a user "rootid" which has uid 0 and should
> be used for normal users logging in as root when the admin (me) is
> e.g. on holidays and sth. fails and needs to be repaired. For this,
> we have sealed envelopes with the root passwords which some users
> can open to get the password (the boss wants it like that).
>
<snip>

IANAL and not as knowledgable as others on the list, but you might consider
the "Administrators" setup where they aren't logged into the computer as a
regular user. In other words, the Administrator account really isn't at
least under the same user name an account on the computer. That might slow
down any uninvited boost to the "normal" user rights..

Seriously tho, Something important to consider : you need to have a
serious chat w/ the boss.. perhaps a meeting setup and scheduled to
apprise him/her/them w/ the actual things a "root" user can do that might
actually not be what the company would want to allow.

It appears what your boss wants is not to be bothered during times you
aren't around w/ any fiddley little things that go wrong w the computers,
he just wants them to keep working... And no doubt hasn't considered any
other ramifications.

Industrial espionage, or just plain boredom or curiosity can lead to people
"just looking" at information they do not have any need to know. As
others have said, a root user has access to all information on your
network systems.

This might and can eventually lead to legal problems for your boss and the
company depending on where mischief or curiosity leads, and what legal or
fiduciary responsibilities the company may have. Those get very very
expensive and you do not want to be associated in any way w/ setting up a
system that might lead to such things w/o absolutely making certain your
immediate superior(s) are fully apprised of the dangers. After all, your
future is at stake as well as theirs.

Imagine attempting to get another IT job if some fiasco happened to a
company where you were the IT dept. Or the head of same... It would be bad
enough if it didn't get publicized. I doubt there would be any future in
the industry should anything untoward happen and you have not protected
yourself by apprising those who should know of the potential for minor
( he types "rm -rf .*" in some user directory ) or major... (think the
current fuss over info released about Paris Hilton's address book and
translate it to , oh, release of people's info by a doctor, lawyer,
hospital etc... )


--
j
I'm putting on the B-mer Brothers
Would you mind putting on this grass skirt?

< Previous Next >
References