Re: Solaris, Sudo, and locking the root account

From: Neil Dickey (neil@geol.niu.edu)
Date: 09/28/01


Message-Id: <200109282003.PAA19177@shiloh.geol.niu.edu>
Date: Fri, 28 Sep 2001 15:03:38 -0500 (CDT)
From: Neil Dickey <neil@geol.niu.edu>
Subject: Re: Solaris, Sudo, and locking the root account
To: focus-sun@securityfocus.com


Gordon Ewasiuk <gewasiuk@gnmc.net> wrote asking:

>What is the general feeling towards locking the root account on Solaris
>when using sudo? We use sudo on Solaris everwhere and lock the root
>account. This forces all users to sudo -s for a root shell - BUT - after
>an abnormal shutdown, if a filesystem comes up dirty, it might need a
>manual fsck pass. This, of course, requires the root password to enter
>maint. mode.

Sooner or later, everything having to do with security comes down to trust
-- not software so much as people. If the people chosen to be administrators
of a system cannot be trusted with the root account, then you have a serious
and insurmountable problem to start with so long as those people are in your
employ. That said, if your people are trustworthy and the root password is
a good one, then what's the problem with leaving the account unlocked? There
are lots of ways of hacking root privileges that don't involve knowing the
root password. Nowadays they seem to be the principal threat.

I'm neglecting, of course, the use of 'sudo' to allow student or other part-
time help to do such bread-and-butter tasks as performing system backups.

Quick question: Does the sudo shell you use confer full root privileges, or
is it restricted? If the former, then, again, why bother? If the latter,
then it's conceivable that you will be unable to deal with some unforseen
future combination of adverse circumstances. I think it's best not to paint
one's self into a corner.

>I've got no problems booting from a CD, mounting the root FS, and
>unlocking/NP the root acct but a veteran sysadmin kinda looked at me funny
>when I explained it to him.

That would work unless the CD drive went bad, and they do. That could
be a real heart-breaker if time is money and the boss is standing there
looking daggers at you while you order a new one.

>Is this a standard practice or making more trouble then it's worth?

Given that one is using stuff like SSH2, etc., and not sending the root
password in the clear over the net -- EVER -- my personal opinion, subject
to revision if circumstances warrant, is that you are making more trouble
for yourself than it's worth. ;-)

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115