Multiple Root ID's considered evil?

[Rayan Zachariassen]

gwyn at smoke.BRL.MIL (Doug Gwyn) writes:
>In any case, nobody should be logging in as "root".  You should set
>up your system so that system administration can be done by some
>nonprivileged UID.  UID 0 should only be assumed by carefully-checked
>utilities that apply access controls.

You have to be *very careful* in doing this, because of the assumption
spread throughout most unix code that uid 0 is the only one that should
be special-cased.  It is in general easier to break into non-0 accounts
due to such oversights in various ``secure'' code, and it is hard to
get rid of the problem areas.  The only long-term solution I see is a
user-configurable policy routine for each system, because people will do
things their own way no matter what and the security policy should adapt.

We did start out with most of our binaries owned by a non-0 id for
ideological reasons, but quickly reverted to root ownership because of
these problems.  It is easier to firewall root than a zoo of other ids.