[GLLUG] root access
Charles Williams
willcha@sme.org
Thu, 11 Apr 2002 10:14:42 -0400
While on the subject of root access ...
We are on Solaris and some of our web team have found a way to "break in" to
root access with ws_ftp to upload files (usually html or gifs) from their
wintel pc. I know I've tried this out: with ws_ftp I can delete a file I
don't have privileges for. Then I can upload my own version over it. One of
our more creative graphic guys uses ws_ftp to mount our web server on his pc
I think. (I haven't tried or actually seen this but I've seen results of
it.) None of this is a big deal since we're all on good terms with each
other and our group is transitioning to a more secure way of life. In the
meantime, has anyone else experienced this problem? Do you know a fix for
it?
- chuck williams
> -----Original Message-----
> From: Edward Glowacki [SMTP:glowack2@msu.edu]
> Sent: Thursday, April 11, 2002 9:49 AM
> To: linux-user@egr.msu.edu
> Subject: RE: [GLLUG] root access
>
> On Thu, 2002-04-11 at 09:28, Melson, Paul wrote:
> > Personally, I would avoid this practice if at all possible. By creating
> > a second '0:0' entry in /etc/passwd, you're not creating a second user
> > with administrator rights, you're just creating another login/password
> > pair for the root user. Run `whoami` from a command line when logged in
> > w/ this new user to see what I mean. *IX users and groups are based
> > almost solely on uid/gid membership, and this paradigm assumes that all
> > users have unique uid's. Linux will record a root login for each of
> > these users, and files & directories created by these users will be
> > owned by root.
>
> We actually use this widely around MSU, since most of the servers are
> managed by a group, not just one person. Basically, if you're logging
> into the servers, it's to do root-type stuff, and you need to be root to
> do it. We give each root account its own home directory so everyone can
> have their own dotfiles. At least on FreeBSD, Solaris, and AIX, wtmp
> records the actual username of the person logging in, and doesn't
> blindly just say "root" for all UID 0 accounts.
>
> >
> > I agree with Ben and Daniel on this. Using a utility like `sudo`
> > (standard w/ most RedHat installs) is a much better way to manage access
> > to root privileges for multiple users. Minimally, use `su` from
> > individual accounts (w/ unique uid's) so that there is at least a log of
> > who assumed root privileges and when in syslog.
>
> If each user only needs to do a subset of root commands, sudo is
> definitely the best choice, but if each user truly does need full root
> access (as in my example above), sudo might lose most of its value.
>
> --
> Edward Glowacki glowack2@msu.edu
> GLLUG Peon http://www.gllug.org
> Imagination is the one weapon in the war against reality.
> -- Jules de Gaultier
>
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user