[GLLUG] root access

Charles Williams willcha@sme.org
Thu, 11 Apr 2002 10:14:42 -0400 

While on the subject of root access ...

We are on Solaris and some of our web team have found a way to "break in" to
root access with ws_ftp to upload files (usually html or gifs) from their
wintel pc. I know I've tried this out: with ws_ftp I can delete a file I
don't have privileges for. Then I can upload my own version over it. One of
our more creative graphic guys uses ws_ftp to mount our web server on his pc
I think. (I haven't tried or actually seen this but I've seen results of
it.) None of this is a big deal since we're all on good terms with each
other and our group is transitioning to a more secure way of life. In the
meantime, has anyone else experienced this problem? Do you know a fix for
it?

- chuck williams
> -----Original Message-----
> From:	Edward Glowacki [SMTP:glowack2@msu.edu]
> Sent:	Thursday, April 11, 2002 9:49 AM
> To:	linux-user@egr.msu.edu
> Subject:	RE: [GLLUG] root access
> 
> On Thu, 2002-04-11 at 09:28, Melson, Paul wrote:
> > Personally, I would avoid this practice if at all possible.  By creating
> > a second '0:0' entry in /etc/passwd, you're not creating a second user
> > with administrator rights, you're just creating another login/password
> > pair for the root user.  Run `whoami` from a command line when logged in
> > w/ this new user to see what I mean.  *IX users and groups are based
> > almost solely on uid/gid membership, and this paradigm assumes that all
> > users have unique uid's.  Linux will record a root login for each of
> > these users, and files & directories created by these users will be
> > owned by root.
> 
> We actually use this widely around MSU, since most of the servers are
> managed by a group, not just one person.  Basically, if you're logging
> into the servers, it's to do root-type stuff, and you need to be root to
> do it.  We give each root account its own home directory so everyone can
> have their own dotfiles.  At least on FreeBSD, Solaris, and AIX, wtmp
> records the actual username of the person logging in, and doesn't
> blindly just say "root" for all UID 0 accounts.  
> 
> > 
> > I agree with Ben and Daniel on this.  Using a utility like `sudo`
> > (standard w/ most RedHat installs) is a much better way to manage access
> > to root privileges for multiple users.  Minimally, use `su` from
> > individual accounts (w/ unique uid's) so that there is at least a log of
> > who assumed root privileges and when in syslog.
> 
> If each user only needs to do a subset of root commands, sudo is
> definitely the best choice, but if each user truly does need full root
> access (as in my example above), sudo might lose most of its value.
> 
> -- 
> Edward Glowacki				glowack2@msu.edu
> GLLUG Peon  				http://www.gllug.org
> Imagination is the one weapon in the war against reality.
>                 -- Jules de Gaultier
> 
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user