North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security Practices question

  • From: Barb Dijker
  • Date: Wed Oct 02 21:49:01 2002

At 05:48 PM 10/2/02 -0700, just me wrote:
In an environment where every sysadmin is interchangable, and any one
of them can be woken up at 3am to fix the random problem of the day,
you tell me how to manage 'sudoers' on 4000 machines.
Sudo provides for one master sudoers file that you can copy verbatim to any number of machines. The syntax allows for entries to apply to all machines, groups of machines, or a single machine. If your sysadmins are really interchangeable, you don't even need that syntax. Your sudoers file is a simple ALL=ALL for all sysadmins on all machines. If you really have 4000 machines, sudoers is not the only file that is common and needs to be distributed among them.

In an situation where the team needs root; all per-admin UID 0
accounts add is accountability and personalized shells/environments.
All UID=0 accounts are one and the same. There is NO accountability whatsoever different than everyone logging in as root...

- if allow login across the net via ssh or telnet to uid=0 (shame on you, btw), the identity of the user on the other end of the session is not logged - could be anyone. wtmp might log the unique username instead of "root", but it might not depending on the OS.

- if you su, the identity of the user who did the su is logged, so you don't need a separate identity for the account to which they su - may as well just su root.

Once someone is uid=0, via login or su, there is no accountability whatsoever to tie actions to a person. Sudo gives you that in the sudo log.

In unix, accountability is tied to an account. A unix account is one that has a unique UID. All accounting is unix is by UID, not name. Usernames are translated at the time of interpretation from UID. The only time that is not true (poorly written application code not withstanding) is during the login/su sequence as a convenience to the user, so they don't have to know their UID. The only remnant of the username after login/su is in the environment variables of the shell... which can be changed by the user!!!!!

Please refer to my post on this subject dated 9/23.

...Barb