8

I'm working on a web application which handles some sensitive data. We're getting pretty tight on security, and laying out policies to lock down access to machines, and log everything for technical audit purposes.

The question we keep coming back to is this: Who gets root?

Our server instances will have a root user. That root user will have a password. Who should have access to this? Is it possible/desirable to have a machine where noone can have root access?

I'd appreciate any thoughts you have on the subject.

EEAA
  • 109,363
  • 18
  • 175
  • 245
Ross McFarlane
  • 191
  • 4

4 Answers4

14

No one. Make them use sudo so all root-level commands are logged and attributable to a specific person.

ceejayoz
  • 32,910
  • 7
  • 82
  • 106
  • 6
    +1. Change the root password to something very random, print it out and seal it in an envelope for emergency use only. – EEAA Feb 28 '11 at 15:47
  • 4
    also, change your root account .bashrc so that PROMPT_COMMAND is set to log everything as plain root user to syslog. Handy. – Sirex Feb 28 '11 at 15:49
  • 1
    user can use sudo to run shell, then commands will not logging(login only bash) – ooshro Feb 28 '11 at 15:51
  • true, unless they do "sudo bash -l" - which they should. if you set the root .bashrc prompt_command it'll log this too, which is one reason its worth doing. – Sirex Feb 28 '11 at 15:59
  • +1 Also, make sure to setup sudo for higher access levels. At one place all the root passwords were kept in a sealed envelope for just in case reasons, if the seal was broken it had to be reported for security and passwords changed. – st3v3o Feb 28 '11 at 17:02
  • @Sirex: how do you do that with the `PROMPT_COMMAND`? – 0xC0000022L Apr 02 '11 at 15:34
3

No-one except maybe a hardware administrator gets root password! The root password should only be usable on the console, not via SSH or other services.

Use groups to define access to different sets of programs with escalated privaledges using sudo. For example the wheel group is typically for people that get root privs, but everything gets logged as their user. If people don't need full root privs but only a few commands as some other user, make another group.

EEAA
  • 109,363
  • 18
  • 175
  • 245
Caleb
  • 11,813
  • 4
  • 36
  • 49
-1

If you use and deploy selinux, it's possible to remove the typical "all seeing, all knowing" god account that is the normal root setup, and convert it into a more security aware account.

Sirex
  • 5,499
  • 2
  • 33
  • 54
  • 1
    how? The answer is not really useful as long as it does not give any pointers as to how ;) – 0xC0000022L Apr 02 '11 at 15:37
  • Its a topic way too big to fit in one answer. But to my knowledge selinux can be (and often is) used for this purpose. – Sirex Apr 04 '11 at 09:36
-5

My opinion is that people shouldn't be running commands requiring root permissions, except of course when they are actually logged in as root.

I would recommend using su (switches to root user) instead of sudo (temporarily raises permissions to root level for one command) for this reason. If they need root permission, make them change to root user.

My question is, what are your users doing that they think they need root?

user76897
  • 1
  • 4
    @user76897: I disagree. `sudo` is perfectly suitable for the purpose *and* it logs each command directly issued with the `sudo` prepended. Where, when su is used, you get a shell and nothing inside that shell is logged. `/etc/sudoers` can be tuned very much. You can tell which command can be executed as what user by what user and whether to require password or not, plus a slew of other useful options. One reason someone might need root is to restart a daemon. This is easily achieved with `sudo` without giving full access to the root account. – 0xC0000022L Apr 02 '11 at 15:57
  • This answer doesn't make any sense or address the question. The preference of `su` over `sudo` is not defended and, according to most other voices here, would actually be part of the guys original problem, not a solution. – Caleb Apr 02 '11 at 16:02