[GLLUG] root access

[Edward Glowacki]

On Thu, 2002-04-11 at 09:28, Melson, Paul wrote:
> Personally, I would avoid this practice if at all possible.  By creating
> a second '0:0' entry in /etc/passwd, you're not creating a second user
> with administrator rights, you're just creating another login/password
> pair for the root user.  Run `whoami` from a command line when logged in
> w/ this new user to see what I mean.  *IX users and groups are based
> almost solely on uid/gid membership, and this paradigm assumes that all
> users have unique uid's.  Linux will record a root login for each of
> these users, and files & directories created by these users will be
> owned by root.

We actually use this widely around MSU, since most of the servers are
managed by a group, not just one person.  Basically, if you're logging
into the servers, it's to do root-type stuff, and you need to be root to
do it.  We give each root account its own home directory so everyone can
have their own dotfiles.  At least on FreeBSD, Solaris, and AIX, wtmp
records the actual username of the person logging in, and doesn't
blindly just say "root" for all UID 0 accounts.  

> 
> I agree with Ben and Daniel on this.  Using a utility like `sudo`
> (standard w/ most RedHat installs) is a much better way to manage access
> to root privileges for multiple users.  Minimally, use `su` from
> individual accounts (w/ unique uid's) so that there is at least a log of
> who assumed root privileges and when in syslog.

If each user only needs to do a subset of root commands, sudo is
definitely the best choice, but if each user truly does need full root
access (as in my example above), sudo might lose most of its value.

-- 
Edward Glowacki				glowack2@msu.edu
GLLUG Peon  				http://www.gllug.org
Imagination is the one weapon in the war against reality.
                -- Jules de Gaultier