June 21st, 2002, 05:58 PM
Not allowin root login with remote services like ssh also adds to the sercurity because you have to know two passwords instead of one to get to a root shell.
Don't know if this is like this in other *nixs too, but in openbsd, if the weel group is populated, only members of wheel can su to root. So if you make sure all members of wheel have strong passwords and so does root, brute forcing youre way to root would be considerably longer...
Credit travels up, blame travels down -- The Boss
June 21st, 2002, 06:22 PM
That's pretty much it. You can also use other utilites to control your work as root, like sudo. I like sudo, because you have much more control over commands executed by multiple admins, it will ask for a password for each command (helping you to make sure that you want to do something) and you NEVER have to give out the root password. Giving out the root password to multiple people is just bad policy all around.
Put simply (as we always used to say) root leaves big footprints.
Pretty much, there's nothing you won't be able to do as root, whether you intend to or not... that includes deleting needed files caught in a typo or filling your disk up so full that your system will not be able to reboot (you can fill the disk up as a normal user, too - but it's smart enough to leave a reserve).
There are lots of reasons to not do this... pretty much the easiest one - it pretty much defeats all security on the box.
/* You are not expected to understand this. */
June 21st, 2002, 06:55 PM
yes i know...... and to simplify that, you can su to any account provided that you know the root password (or the password of someone in an equivelant group)
Originally posted here by DjM
You can 'su' to any account on a *uix system, providing you know the account password. If you are root, then you can 'su' to any account without a password. (at least it use to be like that, I haven't played with *uix for awhile now).
also, incase you think of it giving your 'personal' account access in the root group dosnt do anything differently than just logging in as root so you kinda get screwed the same way if your account has full privelages...... if that makes any sence to anyone but me
June 21st, 2002, 07:30 PM
su = set user ID
Originally posted here by cyb3rn3tik
btw: 'su' is probably 'standard user'
On solaris su - will set user ID to root (you need the password)
su someOtherUser -will make u that user
If the above was posted elsewhere I aploize for the duplicate
June 24th, 2002, 06:51 AM
rm -rf *
from the / directory
pretty much says everything about why you shouldnt run as root all the time.
BTW, I been there and done that. thankfuly it was just my personal machine
Also, even if you are very very careful about what commands you use and apps you run, if you have to leave a machine for an emergency bathroom or cofee run and dont logout, someone else could cause many problems for you if you are logged in as root
June 24th, 2002, 06:56 AM
I always thought su was super user as well as one other in this thread... hmm...