Multiple Root ID's considered evil?
der Mouse
mouse at mcgill-vision.UUCP
Sun Sep 17 11:50:46 AEST 1989
In article <17601 at bellcore.bellcore.com>, tr at madeleine.ctt.bellcore.com (tom reingold) writes:
> On the subject of "Multiple Root ID's considered evil?",
> tchrist at convex.com (Tom Christiansen) writes:
>> Some site are known to have multiple uid 0 accounts so not everyone
>> needs to know the root password. I seem to recall that this is
>> considered a poor idea for security reasons. Could someone please
>> explain why?
> The practice of having multiple privileged logins is criticized
> because it is said that this gives the cracker more chances at
> cracking a privileged password.
This is perfectly true, and it's one of the things you must consider
when deciding what your security tradeoffs are.
> Another small advantage, not to be counted upon heavily, is that
> crackers who don't have your password file may start by assuming that
> there is a "root" login and try to crack that password. If you have
> a "*" as the password field, you rest assured that the cracker can
> try all he likes at that account.
Anyone sophisticated enough to have much hope of cracking a password
given nothing but your passwd file is surely smart enough to search for
other super-user codes. (And to not try to crack an uncrackable
password field!)
der Mouse
old: mcgill-vision!mouse
new: mouse at larry.mcrcim.mcgill.edu
More information about the Comp.unix.wizards
mailing list