Leslie
I must be missing something here, what is the point in protecting the password
assigned to the user who has the name "root" and the UID 0 by giving other
users UID=0. By doing so they have root powers, can do anything the user "root:
can do using their own password and therefore don't need to know the user root
password.
The name "root" has no power, the UID=0 certainly does.
Cheers - Gavin :)
Now why would I tell them that? ;)
Really, I think the point of that maneuver is to protect the
root password. The other uid 0 users don't need to know
the password used for root by the system administrator.
I guess it all depends on what they are paranoid about.
Cordially,
Leslie A. Clark
IBM Global Services - Systems Mgmt & Networking
Detroit
"Gavin Newman"
<NEWMANGJ@banksa. To:
<nv-l@lists.tivoli.com>
com.au> cc:
Subject: [nv-l] Root Authority
06/27/2002 07:05
PM
Leslie
In your second paragraph you say that sites add a "non-root user with a uid
of 0"
They should be aware that it is not the name "root" that has the magic
powers but the uid number 0. You can have any number of names, each with a
UID of 0, and they all have "root power" so if the sites you refer to think
they have circumvented the root "problem" then they are probably in for a
surprise....
Cheers - Gavin
>>> "Leslie Clark" <lclark@us.ibm.com> 27/06/2002 21:27:07 >>>
Of the one hundred or so sites where I have implemented Netview, I have
encountered only three that absolutely would not give root to the Netview
administrator. In all three cases those customers followed a policy of
pushing out a common /etc/passwd file to all AIX systems, so a common
root password was in use for all systems. Not a fashionable approach,
but not all that uncommon.
Some sites add a non-root userid with an effective uid of 0, allowing
most function without the user needing to know root's password. I have
not seen this lately and don't know what the limitations might be if any.
The sudo approach is pretty common and seems to work well.
Many sites with strict AIX support teams simply opt out of AIX support.
They would rather go it alone than put up with the delays involved in
getting someone to come over and type something in for them.
I personally always put it right in the contract that I will have root
access
while I am onsite implementing Netview. Time is money, after all.
Cordially,
---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com
*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)
---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com
*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)
|