With root privileges it is easy to try to guess a user's password, and with tools easily available to automate the process, you can get weak passwords pretty quickly. As the root user you can always "su" to any user without a password. The root user can also set a new password for any user. By making a copy of the shadow file before changing a user's password and then copying back the original after you are done pretending to be that user, you can obscure your actions in the log files. Of course with root access you can also delete or edit the logs to hide your actions. Really the point is that you need to protect the root account. Be very careful with suid bits, sudo access, wheel groups, and any thing else that might allow a user to run something with root privileges or to trick a root process into running a user's application. When reviewing log files, look for more than just the obvious attacks. Watch for missing log files, missing blocks of entries, inconsistent time sequences, or changes to the format of common entries, as these can indicate log tampering. Grant Q -----Original Message----- From: Thompson, James M. [mailto:JTHOMPSON4@mail.northgrum.com] Sent: Friday, May 30, 2003 1:37 PM To: 'magre'; 'suse-linux-e@suse.com' Subject: RE: [SLE] Is it possible for root to know user's password ???