PRO+ Premium Content/Information Security

Thank you for joining!
Access your Pro+ Content below.
October 2003

Controlling Linux root privilege in a Linux environment

Q: At a site with multiple sysadmins, should all of them use one root account or should they each have their own? -E.S. A: It's definitely better to give each sysadmin separate accounts. You might make these root-level accounts by setting their user IDs to 0. Or you could leave them unprivileged, so sysadmins would have to use the "su" command to gain privilege. Using su means that anyone who compromises a sysadmin account would need both the admin's login password and the root password to get root. In either case, you gain increased audit capability and the ability to contain an account compromise. Separate accounts make it easier to detect account thefts by providing a clearer picture of who is logging in when. Suppose Rob is on vacation. A login from his account should raise a yellow flag. If Rob's account has been stolen, you can deactivate it without locking all your sysadmins out until you issue them new passwords. In addition, by using SSH's AllowUser directive, you can limit which IP addresses each account connects from....

Access this PRO+ Content for Free!

Features in this issue

Columns in this issue