On Sat, 06 Dec 2003 19:07:54 +0100, Michal Zalewski said: > time, which is doubtful. The only use of 'su' is when you believe the old > and silly rule not to allow direct root logins... but the rule is of very > little value - it does not truly make any kind of attack more difficult or > less likely to succeed, and having an extra setuid program (a fairly > complex one, and with several vulnerabilities in the past) is a high price > to pay. Sometimes, old and silly rules aren't just about security. The *real* reason for the "always su from a user account" rule isn't to stop exploits. It's so you have an audit trail of who did what. Quite often in a large shop, you'll have 5 or 6 people who have legitimate root access to a box. Now, no sysadmin is perfect, so somebody *will* screw up eventually. So you're sitting there at 2AM trying to fix something, and find that somebody started changing something, got halfway through, didn't update the Changelog file, and you have no idea what the other half of the change is supposed to be (or even perhaps which half of the change can be backed out). (And yes, I've seen it happen. No matter how dedicated the sysadmin, if the phone rings and they find out their kid fell out of a tree and broke their arm, that change won't get completed or documented - they're out the door and on the way to the hospital). If everybody logs in as root directly, you get to call all 5 other people and hope the first one or two know what's going on. If everybody logs in as themselves, and then su's, you can say "Hey, Charlie logged in at 14:08, and su'ed at 14:10, and the file got changed at 14:15. He's probably the one we need to wake up".
Attachment:
pgp00015.pgp
Description: PGP signature