Re: login as 'root' vs 'su root'
From: Green, Simon (Simon.Green_at_EU.ALTRIA.COM)
Date: 06/07/04
- Previous message: Patrick B. O'Brien: "Re: login as 'root' vs 'su root'"
- Maybe in reply to: Leyden, Joseph: "login as 'root' vs 'su root'"
- Next in thread: Leyden, Joseph: "Re: login as 'root' vs 'su root'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 7 Jun 2004 20:00:57 +0200 To: aix-l@Princeton.EDU
Audit trail. It's particularly important if you've got people logging in
from PCs or workstations using DHCP, which can make it very tough to
identify which individuals are actually logged in.
It also helps to prevent files building up in /, if administrators have
their own smit.* and history. (Though that can be alleviated by giving root
a proper home directory.)
There's something to be said for permitting local logins by root, on the
main console but nowhere else.
The only disadvantage is that administrators have to take the extra time to
login then su. That's trivial, and vastly outweighed by the audit
advantages.
It's theoretically possible that under some bizarre circumstances a login as
root will work when one by a normal user will not. I can't remember this
happening except when non-standard authentication methods were being used:
BoKS/Keon in our case, and then it was easy enough to work round the problem
without resorting to a direct login as root.
What we used to do was bar all direct logins as root, but have a second UID
0 user, with a secret password, known to no man. (Get one person to enter
half the password and write it down; fold the paper over to cover that and
get someone else to enter the second half. Seal it in an envelope and put
it in a secure location. This also has to be audited periodically. You
also need to audit and report on any attempted logins by this emergency
userid, so it helps if you're running the audit system in stream mode,
generating alerts somewhere.)
-- Simon Green Altria ITSC Europe Ltd AIX-L Archive at https://new-lists.princeton.edu/listserv/aix-l.html New to AIX? http://publib-b.boulder.ibm.com/redbooks.nsf/portals/UNIX N.B. Unsolicited email from vendors will not be appreciated. Please post all follow-ups to the list. > -----Original Message----- > From: Leyden, Joseph [mailto:LeydenJ@METRO.NET] > Sent: 07 June 2004 18:29 > To: aix-l@Princeton.EDU > Subject: login as 'root' vs 'su root' > > > What's the major difference? > advantages/disadvantages?
- Previous message: Patrick B. O'Brien: "Re: login as 'root' vs 'su root'"
- Maybe in reply to: Leyden, Joseph: "login as 'root' vs 'su root'"
- Next in thread: Leyden, Joseph: "Re: login as 'root' vs 'su root'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
