nv-l
[Top] [All Lists]

Re: [nv-l] Root Authority

To: nv-l@lists.tivoli.com
Subject: Re: [nv-l] Root Authority
From: "Leslie Clark" <lclark@us.ibm.com>
Date: Mon, 1 Jul 2002 08:21:25 -0400
This was done at sites where a common password was used for
the user 'root' on all of the unix systems in the enterprise, for the
convenience of the unix administrators. Therefore it was useful to be
able to have some root-powered users whose access was restricted
to a single box.

Cordially,

Leslie A. Clark
IBM Global Services - Systems Mgmt & Networking
Detroit



                                                                                
                                        
                      "Gavin Newman"                                            
                                        
                      <NEWMANGJ@banksa.        To:       
<nv-l@lists.tivoli.com>                                        
                      com.au>                  cc:                              
                                        
                                               Subject:  [nv-l] Root Authority  
                                        
                      06/30/2002 10:05                                          
                                        
                      PM                                                        
                                        
                                                                                
                                        
                                                                                
                                        



Leslie

I must be missing something here, what is the point in protecting the
password assigned to the user who has the name "root" and the UID 0 by
giving other users UID=0. By doing so they have root powers, can do
anything the user "root: can do using their own password and therefore
don't need to know the user root password.

The name "root" has no power, the UID=0 certainly does.

Cheers - Gavin :)



Now why would I tell them that? ;)
Really, I think the point of that maneuver is to protect the
root password. The other uid 0 users don't need to know
the password used for root by the system administrator.
I guess it all depends on what they are paranoid about.

Cordially,

Leslie A. Clark
IBM Global Services - Systems Mgmt & Networking
Detroit




                      "Gavin Newman"

                      <NEWMANGJ@banksa.        To:
<nv-l@lists.tivoli.com>
                      com.au>                  cc:

                                               Subject:  [nv-l] Root
Authority
                      06/27/2002 07:05

                      PM






Leslie

In your second paragraph you say that sites add a "non-root user with a uid
of 0"

They should be aware that it is not the name "root" that has the magic
powers but the uid number 0. You can have any number of names, each with a
UID of 0, and they all have "root power" so if the sites you refer to think
they have circumvented the root "problem" then they are probably in for a
surprise....

Cheers - Gavin

>>> "Leslie Clark" <lclark@us.ibm.com> 27/06/2002 21:27:07 >>>
Of the one hundred or so sites where I have implemented Netview, I have
encountered only three that absolutely would not give root to the Netview
administrator. In all three cases those customers followed a policy of
pushing out a common /etc/passwd file to all AIX systems, so a common
root password was in use for all systems.  Not a fashionable approach,
but not all that uncommon.

Some sites add a non-root userid with an effective uid of 0, allowing
most function without the user needing to know root's password. I have
not seen this lately and don't know what the limitations might be if any.
The sudo approach is pretty common and seems to work well.

Many sites with strict AIX support teams simply opt out of AIX support.
They would rather go it alone than put up with the delays involved in
getting someone to come over and type something in for them.

I personally always put it right in the contract that I will have root
access
while I am onsite implementing Netview. Time is money, after all.

Cordially,


---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com

*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)





---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com

*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)

---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com

*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)





<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web