user with root priviledge

Jeff Vian jvian10 at charter.net
Tue Apr 20 01:13:04 UTC 2004 


Keven Ring wrote:

> Jeff Vian wrote:
>
>>
>>
>> Björn Persson wrote:
>>
>>>>> Our Windows solution is to create two administrator-capable 
>>>>> accounts.  How
>>>>> can we best do the same with Linux machines?
>>>>
>>>>
>>>>
>>>
>>> I may be wrong but I think it's possible to have several user names 
>>> with user ID 0.
>>>
>>> Keven Ring wrote:
>>>
>>>> Third, too many "system administrators" [read: ROOT USERS] are 
>>>> likely to cause more headaches than it is worth.
>>>
>>>
>>>
>>>
>>> If more than one person needs root access, and a few selected 
>>> commands through sudo isn't enough, then surely it's better to have 
>>> multiple root accounts that to share a password.
>>>
>>> Björn Persson
>>>
>> I disagree!
>
>
> I agree with you, however, I must make some points [if at least to 
> throw some humor into the situation]....
>
>>
>> Here is a situation where this does not make sense, and the use of 
>> sudo does make sense
>>
>> 1. Multiple users with root authority.
>>    john,     bill,  and   sam
>>
>> one of these 3 happens to get mad/upset/frustrated/careless
>> This user (lets say john) logs in and runs some commands that are 
>> very destructive to the system
>>       (have you ever heard of "rm -rf /" being run????)
>> All three users actions are recorded as being done by root, thus no 
>> way to track who did what or when.
>> The analysis of the problem shows that "root" did some 
>> dumb/careless/harmfull things to the system.
>>
>> Who is responsible?????       Answer: one of the above 
>
>
> *IF* one performs an "su -" from the prompt, there is a log of who 
> logged in as root [will be one of john, bill, or sam].  *IF* one 
> remotely logs in as root, then where they came from is logged [and by 
> looking at who was logged on, could inform you which of john, bill, or 
> same performed the dirty work].

No.  The only action logged would be the actual login.

>
> OTOH, if rm -rf / is executed, as root, this will wipe the hard drive, 
> including logs.....
>
> [Note, I have performed this on a running system *on purpose* [it was 
> going to be re-imaged anyway]].

I used that command as an example because it is really the single most 
dangerous command that can inadvertently be done as root, and a single 
keystroke can cause it.
  I once tried to do "rm -rf /archive" to clean out an old partition.  
   What I inadvertently typed was  "rm -rf / archive".  :-(
Luckily I did that on my home computer and not at work, _and_ I had a 
backup available. ;-)

>
> Note, also, that NFS mounts and such often require root password 
> priviledges.  So, if john, bill, and sam all know root password, then 
> you are setting yourself up for some bad situations.

sudo can be used to mount as well, and automounting works too.

>
> No one is saying you can't have multiple root users.  I believe most 
> of us are saying that it is not considered a best practice to have 
> multiple root users of a single system, and that if there are cases 
> where you feel that you need multiple root users, there are almost 
> certainly options available to you that significantly reduce the 
> amount of power that such a user has.

That was my point and my original reply was directed toward the OP and 
those who seem to feel his request was a good idea.  

>
>
>
>

More information about the fedora-list mailing list