Re: user with root priviledge

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jeff Vian wrote:



Björn Persson wrote:

Our Windows solution is to create two administrator-capable accounts. How
can we best do the same with Linux machines?



I may be wrong but I think it's possible to have several user names with user ID 0.


Keven Ring wrote:

Third, too many "system administrators" [read: ROOT USERS] are likely to cause more headaches than it is worth.



If more than one person needs root access, and a few selected commands through sudo isn't enough, then surely it's better to have multiple root accounts that to share a password.


Björn Persson

I disagree!

I agree with you, however, I must make some points [if at least to throw some humor into the situation]....



Here is a situation where this does not make sense, and the use of sudo does make sense


1. Multiple users with root authority.
   john,     bill,  and   sam

one of these 3 happens to get mad/upset/frustrated/careless
This user (lets say john) logs in and runs some commands that are very destructive to the system
(have you ever heard of "rm -rf /" being run????)
All three users actions are recorded as being done by root, thus no way to track who did what or when.
The analysis of the problem shows that "root" did some dumb/careless/harmfull things to the system.


Who is responsible????? Answer: one of the above

*IF* one performs an "su -" from the prompt, there is a log of who logged in as root [will be one of john, bill, or sam]. *IF* one remotely logs in as root, then where they came from is logged [and by looking at who was logged on, could inform you which of john, bill, or same performed the dirty work].


OTOH, if rm -rf / is executed, as root, this will wipe the hard drive, including logs.....

[Note, I have performed this on a running system *on purpose* [it was going to be re-imaged anyway]].

Note, also, that NFS mounts and such often require root password priviledges. So, if john, bill, and sam all know root password, then you are setting yourself up for some bad situations.

No one is saying you can't have multiple root users. I believe most of us are saying that it is not considered a best practice to have multiple root users of a single system, and that if there are cases where you feel that you need multiple root users, there are almost certainly options available to you that significantly reduce the amount of power that such a user has.





[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux