Multiple Root ID's considered evil?

Harry Skelton harrys at tons61.UUCP
Fri Sep 22 21:56:05 AEST 1989


We have a problem of multible logins as root (actually su's since our login
program prohibits direct root access) and I was thinking of adding something
like the "session" program to the shell and have it save the session to
the console hardcopy printer - regarless!  I don't think the user will be
able to get rid of the hard copy without notice, change tty's in midwork,
nor get by the idea that a deamon opens a file for audit then unlink()'s it
while still open to hide it (fsck will fix it later in lost+found) and/or
the deamon can "add" an entry to the directory with the propper inode 
information...etc.

Some users try to remove the .history file but fsck picks it up later and
they don't know I keep a second copy elsewhere...:-)

I feel if security (or system) is so bad you need direct root access, then
have a lot of passwords involved!  Perhaps put the "root terminal" on a 
'dialup' device to force two passwords...etc.

Perhaps the best method is a hard copy terminal in a locked box (keys 
accessable though..).
-- 
Harry Skelton - Senior Systems Administrator - U.S. Dept. of Transportation
   ..!attctc!tons61!harrys ..!obdient!tons61!harrys ..!tfd!tons61!harrys
[  Views expressed by Harry Skelton are not those of the US Gov. or CBSI  ]



More information about the Comp.unix.wizards mailing list