Re: user with root priviledge

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Keven Ring wrote:

Jeff Vian wrote:



Björn Persson wrote:

Our Windows solution is to create two administrator-capable accounts. How
can we best do the same with Linux machines?




I may be wrong but I think it's possible to have several user names with user ID 0.


Keven Ring wrote:

Third, too many "system administrators" [read: ROOT USERS] are likely to cause more headaches than it is worth.




If more than one person needs root access, and a few selected commands through sudo isn't enough, then surely it's better to have multiple root accounts that to share a password.

Björn Persson

I disagree!


I agree with you, however, I must make some points [if at least to throw some humor into the situation]....


Here is a situation where this does not make sense, and the use of sudo does make sense


1. Multiple users with root authority.
   john,     bill,  and   sam

one of these 3 happens to get mad/upset/frustrated/careless
This user (lets say john) logs in and runs some commands that are very destructive to the system
(have you ever heard of "rm -rf /" being run????)
All three users actions are recorded as being done by root, thus no way to track who did what or when.
The analysis of the problem shows that "root" did some dumb/careless/harmfull things to the system.


Who is responsible????? Answer: one of the above


*IF* one performs an "su -" from the prompt, there is a log of who logged in as root [will be one of john, bill, or sam]. *IF* one remotely logs in as root, then where they came from is logged [and by looking at who was logged on, could inform you which of john, bill, or same performed the dirty work].

No. The only action logged would be the actual login.


OTOH, if rm -rf / is executed, as root, this will wipe the hard drive, including logs.....


[Note, I have performed this on a running system *on purpose* [it was going to be re-imaged anyway]].

I used that command as an example because it is really the single most dangerous command that can inadvertently be done as root, and a single keystroke can cause it.
I once tried to do "rm -rf /archive" to clean out an old partition. What I inadvertently typed was "rm -rf / archive". :-(
Luckily I did that on my home computer and not at work, _and_ I had a backup available. ;-)



Note, also, that NFS mounts and such often require root password priviledges. So, if john, bill, and sam all know root password, then you are setting yourself up for some bad situations.

sudo can be used to mount as well, and automounting works too.


No one is saying you can't have multiple root users. I believe most of us are saying that it is not considered a best practice to have multiple root users of a single system, and that if there are cases where you feel that you need multiple root users, there are almost certainly options available to you that significantly reduce the amount of power that such a user has.

That was my point and my original reply was directed toward the OP and those who seem to feel his request was a good idea.









[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux