7

Where I work now, I am forced to use the root account just like everybody else there does. There are no other users. Not even in the DBs. My seniors explained to me that this is done for convenience's sake.

I really know this is wrong but I would really like to have a real life example or a very convincing theoretical one so I can prove to them how wrong this is. Not for retaliation or something like it, but maybe help them understand the risk more and improve our security.

Actually it is really stressful to work as root. In my home network (and boy is it a big home vm network) I don't even dare to login as root..

They are aware of the threat of accidental erase or modification of crucial files and folders. Of the threat of accidental permission changes.

They insist that we must double check our programs and our behavior before pressing the "enter" button..

What else could go wrong?

I suspect an external attack (apache wise). Also a rogue program. Can a rogue program take control through apache's wrong permissions?

What else is possible? Thank you!

MDMarra
  • 100,734
  • 32
  • 197
  • 329
ioctl
  • 89
  • 3
  • 6
    Update your CV and run away as fast as you can! – Michael Hampton Mar 21 '13 at 20:24
  • 1
    Find new job? Run `rm -rf /` from the nearest executive's terminal when he/she is at lunch? Find new job? – HopelessN00b Mar 21 '13 at 20:24
  • Omg update my CV I am speechless... I cried laughing! – ioctl Mar 21 '13 at 20:27
  • declare you self the new vice pres. of cyber security then change the root password. – Red Cricket Mar 21 '13 at 20:47
  • seriously, consider finding a better place to work. Cleaning up a organisational wide stance such as this is a big, big job. I wouldn't want the company having my personal data on the employee files (and soon, backed up on pirate bay). – Sirex Mar 21 '13 at 20:52
  • If "convenience" trumps even very basic security, then I'm not sure this company can be helped. Do they lock the business up at night? Why? It's certainly inconvenient to have to unlock the doors every day. Do you have a company credit card that you carry around? Why? It's certainly more convenient to just make 400 of them and leave them at the various places around town you shop so you don't have to carry it around.. – GregD Aug 03 '13 at 16:47
  • The worst aspect about your situation isn't the bad practice, because by virtue of having experience, things *could* be fixed. The true problem is that nobody seems to understand the seriousness of bad practice itself. That would bother me the most, I'm ok with terrible... I inherit terrible all the time! I'm not ok with failing to recognizing the problem. Essentially from everyone else's perspective, why fix what isn't broken??? O but it is broken, very broken, and i'd bet money this is just the tip of the iceberg. – J. M. Becker Aug 03 '13 at 16:50

4 Answers4

6

Lets just delete some old logs from the webserver. No need to login as the web account, we got root. 

rm -rf / var/www/logs/2010.log

Woops! Shouldn't have been root.

David Houde
  • 3,200
  • 1
  • 16
  • 19
  • ok but this can be done by an insider who knows the root password. Can it be done externally? (I don't want to know the exact way if it may seem like I want to know how to do it. I just want to know if it could be possible). everything under /var/www is root:root 777 – ioctl Mar 21 '13 at 20:25
  • 2
    No, not 777. I get what you are trying to prove, but in reality it isn't very much of a risk at all. The biggest risk of using root by default is human error, or being socially engineered into running a user generated script. – David Houde Mar 21 '13 at 20:28
  • i.e: A buffer overflow inside Apache wont give root access just because the files it is serving are owned by root. This is assuming Apache isnt running as root. – David Houde Mar 21 '13 at 20:28
  • It is not getting any better when prepended by "sudo". And you *would* need to sudo, because an unprivileged user surely would have no write access to security-sensitive logs, would she? – the-wabbit Jul 24 '13 at 23:40
0

Hm.. I've done many bad things as root. I once wrote a script that was supposed to (among other things) periodically clean a directory called /foo. So the script was executing as root and did something like this:

cd /foo
rm -rf *

One day the /foo directory didn't exist because of some problems with our SAN. Result: catastrophe.

Now this is of course just a badly written script; it should have been:

cd /foo  &&  rm -rf *

but it shows you how easy it is to do something seriously bad if you have too much privilege.

The other problem you have when everybody logs in as root is as that you loose the whole traceability/auditability thing. Who knows who has done what? Is that really acceptable?

The question to ask yourself (and your employer) is: what is that you need to do that requires you to be root?

On this particular topic I really prefer Solaris over Linux. (please don't flame, I'm only talking about the topic of the root user). Even if you are not on Solaris I believe there things to be learned from how Solaris does it. You may be able to mimic some of this on Linux.

Solaris (later versions) doesn't by default let you login from outside as root at all. Indeed root has become a role rather than a regular user. If you have the sufficient privilege and know the root password then you can of course login to root, but only after having logged into the host as yourself first and then su into root. This way you can always see who has used the root account.

Furthermore you have the whole fine grained privs setup on Solaris, for example you can assign the privilege to bind to a socket <1024 to a particular service. On Linux such a process must be started by root. Secondly you have RBAC and delegation of SMF privileges (the right to start, stop or administer a given service). With this there's rarely a need for anything really to done as root.

Solaris really - by the way it is configured out-of-the-box as well as the features it offers - discourages you from using root and makes it easy never to use root account. I hope one day to see the same advances in Linux.

Your boss' counter-argument to all of this is that it will take time to define and configure. This is true but your site seems pretty big. So the key word is standardization. Define those roles once and for all by utilizing the features that your OS brings you. Then standardize across all your servers. The other keyword I would like to bring to the table is principle of least privilege. You should never have more privilege than your job requires. Unfortunately you are at the mercy of how fine grained your OS's privilege model and delegation model is but read up on it and you will likely see that your OS has done great advances in this area in the past 10-15 years so there's perhaps no longer a need for you to login as root?

Apache httpd shouldn't run as root. Period! If your webserver gets hacked then the intruder suddenly has root privilege. Your OS may force you to start it as root but apache httpd has a feature for immediately switching to another user. Look into User and Group settings in the config file for Apache httpd.

unixhacker2010
  • 836
  • 8
  • 7
  • @MDMarra no, he means the [Solaris privilege model](http://docs.oracle.com/cd/E23824_01/html/821-1474/privileges-5.html#REFMAN5privileges-5) which indeed *is* unique to Solaris (by definition rather than feature set). Roles are also not groups but part of the [Solaris RBAC model](http://docs.oracle.com/cd/E23824_01/html/821-1456/rbac-1.html). Unfortunately, although unixhacker2010 has some valid points, the provided post still is not an answer to the question. – the-wabbit Jul 24 '13 at 23:38
  • 1
    Even better would be `rm -rf /foo/*` – Michael Hampton Aug 03 '13 at 16:33
  • Actually agree with the downvotes. My original posting was more of a rant than a answer to the question. So I've changed it. I actually find the question a bit difficult to answer. What can go wrong? Answer: Just about everything!. I've tried to pose a more relevant question: Why login as root in the first place? – unixhacker2010 Aug 03 '13 at 16:36
0

Utter stupidity! this is just asking for trouble. I think the seniors need to be fired for convenience sake.

Apart from accidentally doing something wrong (like rm -rf / which would have limited effects if you were not root) if someone gets fired due to making a dumb mistake that kills a critical server. They might just get all angry and log in remotely and take down the network, or change the root password so no one can log in and encrypt the root partition or otherwise really mess with your network! Guess what? No one would have any idea who did it because they used the root account that everyone knows the password to, including all ex-employees.

I strongly suggest you set up some sort of user accounts and only for those that need such access. Where root access is required use sudo. You can also limit per user or per group what they can do with sudo, which programs can be run etc.

Now if an employee leaves, you can remove the user simply by deleting the account.

torchhound
  • 117
  • 5
hookenz
  • 14,472
  • 23
  • 88
  • 143
0

This is so idiotic that is hard to explain why this is so bad.

You asked for examples of what could go wrong. Here's one:

  • If all applications that use the database server log in with an account that has read/write access to ALL databases, a single web app (like a WordPress site with a buggy or out-of-date plugin) can grant access to all databases. Data can be stolen or just deleted.

And, just saying, maybe the OS root password and the database root password are the same?

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
Tsumi
  • 343
  • 2
  • 8