Re: Solaris, Sudo, and locking the root account

From: Brian Hatch (focus-sun@ifokr.org)
Date: 09/28/01 

Date: Fri, 28 Sep 2001 13:04:15 -0700
From: Brian Hatch <focus-sun@ifokr.org>
To: Gordon Ewasiuk <gewasiuk@gnmc.net>
Subject: Re: Solaris, Sudo, and locking the root account
Message-ID: <20010928130415.Y598@ifokr.org>

> What is the general feeling towards locking the root account on Solaris
> when using sudo?

Locking it, as in putting '*' in the shadow passwd field?

Seems a little drastic. On machines where I've wanted to
make sure members of a group never touch root save via sudo,
I came up with a different idea. Give each admin 2 letters
to pick to remember, and when a root pw needs to be changed
each person (in alphabetical order) types in her 2 letters.
Need console access? Get on the phone. A bit faster than
a CD boot and manual fix.

But this is a bit drastic. If your admins won't use sudo
properly, tell them nicely that they'll be fired if they
don't. End of problem. Then everyone can still know the
real root pw in case of emergency. (Or better yet keep
passwords in a pgp encrypted file they can access.)

> I've got no problems booting from a CD, mounting the root FS, and
> unlocking/NP the root acct but a veteran sysadmin kinda looked at me funny
> when I explained it to him.

Explained the 'no root pw' theory, or how to boot from CD?
Hopefully the former, the latter should be something any
veteran admin knows (and has done far more than they'd like
to admit.)

> Is this a standard practice or making more trouble then it's worth?

I'd say it's a bit much. 

--
Brian Hatch                   _____
   Systems and                >===<--.    Mmmnnn...
   Security Engineer         |   = |-'    Coffee...
www.hackinglinuxexposed.com  `-----'

Every message PGP signed

Relevant Pages

  • Re: Easy way/script to add another user like me?
    ... have to do to give a user sudo privileges is to add them to the ... # Members of the admin group may gain root privileges ... of cracking the root password because they already know the ...
    (Ubuntu)
  • Re: user(s) question
    ... NK> admin group and can use sudo to gain root privilege. ... You don't need other groups if you already have root access. ...
    (Ubuntu)
  • Re: Easy way/script to add another user like me?
    ... do to give a user sudo privileges is to add them to the admin group. ... I used my root account to add joker to the "admin group" via ...
    (Ubuntu)
  • Re: How do I give root permissions to another user?
    ... It sounds like your sudo isn't properly configured. ... That you could perhaps do with making a new group 'admin', ... people will have different rights. ... However, if you do it correctly, nobody will actualy need the root ...
    (alt.os.linux.suse)
  • Re: Admin account suddenly changing to a standard one
    ... root password by typing su at the terminal's prompt. ... (with admin privileges, ... the system I could login but the account whose short name I changed - the ... sudo command gives you temporary root access, ...
    (comp.sys.mac.system)