Prevent remote root logins

Michael Paoli <michael1cat@yahoo.com> wrote:

>> How is that different from having several persons that know the root
>> password?
>
> You stick the "root" (the one and only superuser account, customarily
> root[1]) password in a highly opaque, well sealed, tamper resistant
> envelope, then lock that up in "break glass in case of emergency"
> container, in front of multiple videotaped video cameras, inside your
> highly secure vault behind your mantrap(s) (okay, so some
> environments may be roughly like that).

What he said. This is what I and my sysadmin staff did at $FIRM, a once
well-known Linux support company.

If someone hypothetically found a way to lose that envelope, then it's a
darned good thing that any of us could break in from the physical
console in our sleep, if need be. ;->

Mediating superuser access via sudo introduces useful logging (no, _not_
in any way proof against malign root-user intruders, but quite handy for
normal accountability auditing), and automatically times out privilege,
making it less likely to clobber things by mistake.

--
Cheers,
Rick Moen Habetis bona deum.
rick@linuxmafia.com

boomboom999@yahoo.com wrote:
> Thank you Lew
>
> Could you explain why having more than one "UID 0" could be a problem?
>
> Thank you in advance
>
There are a couple of good reasons why you shouldn't. First, users are
identified by their UID. This means that to the logfiles and
permissions on the system, these users all look the same. If anyone
does anything that causes a problem (intentionally or not), you have no
way of confirming who it was.

Second, users should not be logging in with a UID 0 account at all. If
each user has a non-privileged account that is capable of using sudo,
then the worst that happens it that they have to type a password once or
twice when they wouldn't have had to previously (note that this is still
the same password used for login). Since they're logging in over SSH
(note it should be version 2 - SSH1 is insecure), there's no real
disadvantage to this other than the 2 seconds of inconvenience.

You get a number of benefits from this:

Sudo logs everything that the user does - this makes it much simpler to
track down problems, be they accidental or otherwise.

You can give and limit permissions at a very fine level; you could have
a user that needs to be able to restart apache and modify its settings,
for example. This user might have no need to be able to install a
kernel module. In multi host environments, this also lets you give a
user administrative rights on one host while only having a standard
account on another host.

The last reason should be fairly obvious - the user can run programs
without root privileges. If the user needs to launch a web browser to
download a new version of a kernel patch, or to check a howto document,
that web browser doesn't have to have write access to the entire system.
This applies even remotely, since it might be impractical to sftp or
scp the files in from the user's computer, especially if it's coming in
on a slow link.

Brendan Smithyman

Brendan Smithyman <brendan@bitsmithy.net> writes:

>boomboom999@yahoo.com wrote:
>> Thank you Lew
>>
>> Could you explain why having more than one "UID 0" could be a problem?
>>
>> Thank you in advance
>>
>There are a couple of good reasons why you shouldn't. First, users are
>identified by their UID. This means that to the logfiles and
>permissions on the system, these users all look the same. If anyone
>does anything that causes a problem (intentionally or not), you have no
>way of confirming who it was.

One reason for separate accounts awith uid 0-- You have 10 machines on
which you are root and have a common password. Youwant to allow blogs to
have access as root on machine A. You place a user altroot with uid 0 and
with a separate password onto machine A that he can use.



>Second, users should not be logging in with a UID 0 account at all. If
>each user has a non-privileged account that is capable of using sudo,
>then the worst that happens it that they have to type a password once or
>twice when they wouldn't have had to previously (note that this is still
>the same password used for login). Since they're logging in over SSH
>(note it should be version 2 - SSH1 is insecure), there's no real
>disadvantage to this other than the 2 seconds of inconvenience.

>You get a number of benefits from this:

>Sudo logs everything that the user does - this makes it much simpler to
>track down problems, be they accidental or otherwise.

>You can give and limit permissions at a very fine level; you could have
>a user that needs to be able to restart apache and modify its settings,
>for example. This user might have no need to be able to install a
>kernel module. In multi host environments, this also lets you give a
>user administrative rights on one host while only having a standard
>account on another host.

>The last reason should be fairly obvious - the user can run programs
>without root privileges. If the user needs to launch a web browser to
>download a new version of a kernel patch, or to check a howto document,
>that web browser doesn't have to have write access to the entire system.
> This applies even remotely, since it might be impractical to sftp or
>scp the files in from the user's computer, especially if it's coming in
>on a slow link.

>Brendan Smithyman

Unruh wrote:

> One reason for separate accounts awith uid 0-- You have 10 machines on
> which you are root and have a common password. Youwant to allow blogs to
> have access as root on machine A. You place a user altroot with uid 0 and
> with a separate password onto machine A that he can use.

Why would you need to give him a uid 0 account for this? If you give
him an unprivileged account and add the line

username ALL=(ALL) ALL

to your /etc/sudoers file, and then the user can become root using his
own login password. It's the same privilege level, but with a measure
of accountability. He can type "sudo command" to run a single command,
or "sudo -s" for su like functionality. If you need to adjust it later,
you don't have to restructure the entire account, you just remove the
line from the sudoers file. You can even set it so that he doesn't have
to type a password if you really want to, with

username ALL=(ALL) NOPASSWD:ALL

What can you do as UID 0 that you can't do as a user operating under sudo?

Brendan Smithyman


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEQbmSeEdgP5u41wQRAqJ4AJ92ND5QolEcHMPM9oTgfe K8EO/eCwCeLreV
eiSYLXpjRNjl9gEib78Oz8g=
=rlHu
-----END PGP SIGNATURE-----