More on Multiple root accounts...

Ken Spagnolo KSpagnol at massey.ac.nz
Thu Sep 28 12:09:12 AEST 1989


I've just started reading this topic, so I hope this hasn't been discussed...

On our Pyramid, we almost never su to or login as root.  Instead, I wrote
ssu (single super user), which takes a single command as an argument, checks
to see if you're in a certain, very restricted group, and if so, sets uid
to 0 and execs the command.  A log entry is made of who executed ssu, the
command ssu'd with all its args, the directory ssu was executed from and a
date stamp.  (This is done more to help us back out of any major mistakes
than out of paranoia.)  In this way, the system admin and system programmers
all have the privilege they need, when they need it, and can remain in their
own environment to keep mistakes down.  The operator account was installed
on our system as a synonym for root, but we've even changed that, as this
method seems to address the relevant access and security issues.  Of course
you can 'ssu su' or 'ssu (your favorite shell here)' when it is desirable
(or even undesirable).  I think this is an acceptable method, but I'm sure
some of you don't.  How come?

-- 
--
Ken Spagnolo - Systems Programmer, Postmaster, Usenet Administrator, etc.
   Computer Centre, Massey University, Palmerston North, New Zealand
K.Spagnolo at massey.ac.nz  Phone: +64-63-69099 x8587  New Zealand = GMT+12



More information about the Comp.unix.wizards mailing list