Re: Really, really, really off topic, but (was Re: Security Practices question)

["John M. Brown" <john () chagresventures com>]

see below


On Sun, Sep 22, 2002 at 03:47:56PM -0700, Etaoin Shrdlu wrote:
> "John M. Brown" wrote:
> > I have question for the security community on NANOG.
>
> I confess that I think of NANOG as not being a security community, rather
> it is a group of north american network operators. That said, you can find
> all sorts of info for the somewhat naive question below by a slightly
> judicious use of our friend, Google. That said, and since I'm avoiding work
> that I SHOULD be doing, I will answer your Important question.

Right, operators sometimes have to deal with the practicl issues of implementing
security.  Security wonks don't always have to deal with their ideas :)

Yes, Google is a fine resource.  Having messages from the community to 
reference is also fine for my purposes :).


> > What is your learned opinion of having host accounts
> > (unix machines) with UID/GID of 0:0
>
> This shows a certain naiveté, and suggests that you have not heard of truly
> useful tools such as sudo. If it's UNIX, sudo builds. Why is this a bad
> thing? The first number in your password entry implies USER. Not users.
> There is simply no way to tell which of many multiples of people might have
> made a change in your system, since the UID is the same for all.
 
I can spell soodoo.. have used it for years, and advocate its use.  there is
a hidden agenda here, can't talk about it.


> > otherwords
> >
> > jmbrown_r:password:0:0:John M. Brown:/export/home/jmbrown:/bin/mysh
>
> I also truly hope that this was just a quick copy by you, and that you are
> not truly discussing a system here that allows the password file to
> actually contain the password. Please tell me that your password file is at
> least shadowed, and that was just a typo.
 
I think clear text is the only way. makes it easier to remember your
passwords :)  

Ok , that was sarcastic.  Sorry..  Um, OTP, Kerb, SSH, Shadow, etc are
things I use, as needed, in my networks.



> > The argument is that way you don't hav to give out the root password,
> > you can just nuke a users UID=0 equiv account when the leave and not
> > have to change the real root account.
>
> I will also supply you with a bit of advice, one that I see even using SSH
> over the network to my own machines:
>
> "Don't login as root, use su"


Yes, its amazing the number of people that allow this.  People with "cred
and respect" in the community.....

 
> > Now, don't flame me over the question, but provide valid pro's or con's
> > for this practice from your experience.
>
> There are no positive aspects to this practice. I suggest that you get the
> wonderful red book (now colored purple, last I recall) by Evi Nemeth et al,
> and study it thoroughly.

I've got Evi's rainbow on my shelf (all editions of this FINE FINE book,
Yellow, Red, Purple I beleive, right next to Dragon Book, well dog eared
K&R (Pre ANSI, and Post ANSI))

thanks for the comments