-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, this latest discussion about logging in as root got me thinking. I'm
fairly new to Linux. Occasionally, when I need to set up something (as
an example, my recent DNS questions) I will need to edit a config file,
and restart the daemon. I usually start by logging in as myself, then
issue individual 'su [command]' commands. After a while, I get tired of
typing in the root password over and over, so I just issue a simple 'su'
and work as root from there.

Should I be taking a different approach?

- --
Jim Hyslop
Dreampossible: Better software. Simply. http://www.dreampossible.ca
Consulting * Mentoring * Training in
C/C++ * OOD * SW Development & Practices * Version Management
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFFtCmCLdDyDwyJw+MRApFwAKD9UYBVsQwJi0l7nHsZHn FzAwf8MwCfZp/y
EChqWt+pvJ75UwmMJ9wty/o=
=NVkq
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, Jan 21, 2007 at 10:03:30PM -0500, Jim Hyslop wrote:
> OK, this latest discussion about logging in as root got me thinking. I'm
> fairly new to Linux. Occasionally, when I need to set up something (as
> an example, my recent DNS questions) I will need to edit a config file,
> and restart the daemon. I usually start by logging in as myself, then
> issue individual 'su [command]' commands. After a while, I get tired of
> typing in the root password over and over, so I just issue a simple 'su'
> and work as root from there.
>
> Should I be taking a different approach?
>
You want sudo.

Regards,

-Roberto

--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFtCwf1snWssAFC08RAkX2AKCJQ0+iUegyjnCCybDb98 uzjiEeFwCgi2XD
BIZ+IaPnZbS+tOSGqKhm5vk=
=6ae/
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Roberto C. Sanchez wrote:
>
> You want sudo.

Ah, very nice - thanks for the tip.

- --
Jim Hyslop
Dreampossible: Better software. Simply. http://www.dreampossible.ca
Consulting * Mentoring * Training in
C/C++ * OOD * SW Development & Practices * Version Management
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFFtC+NLdDyDwyJw+MRAvhiAKC29CkXr+C8mjAZCHObLE acnsmyrACgvXJE
m/ysrlpgrVIE/8acVIzWJ9o=
=2RP0
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, 2007-01-21 at 22:03 -0500, Jim Hyslop wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> OK, this latest discussion about logging in as root got me thinking. I'm
> fairly new to Linux. Occasionally, when I need to set up something (as
> an example, my recent DNS questions) I will need to edit a config file,
> and restart the daemon. I usually start by logging in as myself, then
> issue individual 'su [command]' commands. After a while, I get tired of
> typing in the root password over and over, so I just issue a simple 'su'
> and work as root from there.
>
> Should I be taking a different approach?

My practices are for accountability. I like to believe they are best
practices.

* Never connect to remote machine as root... there are exceptions,
but they are few and far between.
* Login to a machine as a regular non-privileged user.
* If the need arises use a method to allow "limited privileges" in
a granular way. I use "sudo" it allows one to give "user
creation" without giving the keys to the machine to the person
or desk person.
* If you need a graphical method, I use "sux" or in combo "sudo
sux -" and then run the program... then exit.
* If you really need to *BE* root, "sudo su -" or "sudo sux -" for
only as long as you need.

It is really all about accountability or being able to track who did
what when. To track problems caused by administration errors, or to
track when someone uses things they shouldn't. IOW, about limiting users
doing harmful things.

If you need more... ask specific questions.
--
greg, greg@gregfolkert.net

The technology that is
Stronger, better, faster: Linux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBFtDAb7WZpcbUkaHwRAjhPAKC9ww5T+3PI6t3HHdhsFS f/q/VkbwCgu9R0
KUzuGuPgEYe8oyTXnq6XwE0=
=0zaE
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/07 21:31, Greg Folkert wrote:
> On Sun, 2007-01-21 at 22:03 -0500, Jim Hyslop wrote:
>>
[snip]
> It is really all about accountability or being able to track who
> did what when. To track problems caused by administration errors,
> or to track when someone uses things they shouldn't. IOW, about
> limiting users doing harmful things.

Are there any auditing packages, which record every program
registered in the audit system, for every user registered in the
audit system?

OpenVMS and z/OS have such a feature, and I'd bet a dollar that
Slowlaris, Aichs, HP-SUX & Tru64 have something similar.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFtEHgS9HxQb37XmcRAsgvAKCpgBDNrRTazRDEmrDpaU RmgoizbQCfQaqB
Fw2CnvtS53zJgdj2rdu+FQY=
=22mz
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/07 21:03, Jim Hyslop wrote:
> OK, this latest discussion about logging in as root got me thinking. I'm
> fairly new to Linux. Occasionally, when I need to set up something (as
> an example, my recent DNS questions) I will need to edit a config file,
> and restart the daemon. I usually start by logging in as myself, then
> issue individual 'su [command]' commands. After a while, I get tired of
> typing in the root password over and over, so I just issue a simple 'su'
> and work as root from there.
>
> Should I be taking a different approach?

I'm sure that some will want to rake me over the coals, but I say
that you should just type:
$ su -l

It will prompt you for the root password, then execute /root/.bashrc
and cd ~root and then drop you to a # prompt.

I keep *one* xterm window running "su -l" at all times. (Of course,
my xscreensaver is also aggressive about locking the console.)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFtEC3S9HxQb37XmcRAsLTAKDddry/yHTqkW/YVf5uwBLdvp4sEgCfZtj+
NWfrE9pqJYlX8bbFFIVskrw=
=z6Em
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sunday, 21.01.2007 at 22:03 -0500, Jim Hyslop wrote:

> OK, this latest discussion about logging in as root got me thinking.
> I'm fairly new to Linux. Occasionally, when I need to set up something
> (as an example, my recent DNS questions) I will need to edit a config
> file, and restart the daemon. I usually start by logging in as myself,
> then issue individual 'su [command]' commands. After a while, I get
> tired of typing in the root password over and over, so I just issue a
> simple 'su' and work as root from there.
>
> Should I be taking a different approach?

As people have mentioned, sudo is always useful here.

However, the way you manage the system can be different depending on
whether (a) there are other sysadmin users of the system, other than
yourself, and (b) whether there are other *non*-sysadmin users of the
system.

[The example that follows is a counter-example to the
most-commonly-offered advice, but that comes because it's a different
setup to normal.]

For example, I have one or two servers which run a couple of very basic
services each, e.g. DNS, DHCP and I am the only user, namely the
sysadmin. There's no graphical environment on these servers and the
whole installation is very minimal. There are no other 'users' on the
system. And, *every* job that needs to be done to that system (editing
the DNS hosts files, restarting the daemons and so one) needs to be done
as root. The system is never used in a non-root context. Therefore, to
manage this system I set up no further users other than root, and
install my SSH key in root's account, then reconfigure SSHd to allow
root logins via key only (so that even someone knowing the root password
is unable to login via SSH, unless it's me with my SSH key); I have
physical access to the machine, so if it all goes horribly wrong I can
of course login as root at the console. If appropriate for the
situation, I will probably also install IPtables to ensure that SSH
access is only permitted from certain hosts or subnets.

The above example flies in the face of the usual advice, but that's
because the circumstances are different and possibly rather extreme. I
don't really need accountability, because I'm the only one with access.
"Adding a non-privileged user and using sudo" would actually provide
less security, because it is adding an additional
potentially-compromisable account to the server.

However, if the above server was to be maintained by more than one
sysadmin, I'd probably disable root access entirely and insist on 'sudo'
for accountability. Further, if there were 'real users' on the system,
i.e. users who only ever did non-root work, I'd again probably avoid the
root-only approach.

Be careful when recommending the above setup, because I believe it's
only appropriate in very limited circumstances.

I'm sure I'm opening myself to some criticism by mentioning the above;
please *read* what I've written before replying with "You shouldn't ever
use root directly", because I don't believe that's an appropriate
criticism in this case. ;-)

As always, so long as one properly considers the implications and
carefully assesses the risks versus conveniences of any particular
setup, you should do fine.

Cheers,

Dave.


--
Please don't CC me on list messages!
...
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFtIzXnhBnac0o2pIRAgM9AJ9naZ1EwIuWEi2XEfl/K6mZywmZDQCfTeKn
l4i6AGys258NKVWnmiCLBMU=
=ZHNb
-----END PGP SIGNATURE-----

Ron Johnson writes:
> Are there any auditing packages, which record every program
> registered in the audit system, for every user registered in the
> audit system?

Package: acct
Priority: optional
Section: admin
Installed-Size: 368
Maintainer: Daniel Baumann <daniel@debian.org>
Architecture: i386
Version: 6.4~pre1-3
Depends: libc6 (>= 2.3.6-6)
Filename: pool/main/a/acct/acct_6.4~pre1-3_i386.deb
Size: 109148
MD5sum: 46f28e68e65005316a00c639d86419a1
SHA1: 0100c3965fcb1ce3791cd6f041fd0150099ce6b9
SHA256: 12e6095845044b3ca0aa470257b64068b735c1d68930f5a8b1 1fa99b8d9faa7d
Description: The GNU Accounting utilities for process and login accounting
GNU Accounting Utilities is a set of utilities which reports and summarizes
data about user connect times and process execution statistics.