Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!uunet!virtech!cpcahil
From: cpcahil@virtech.UUCP (Conor P. Cahill)
Newsgroups: comp.unix.wizards
Subject: Re: Multiple Root ID's considered evil?
Message-ID: <1159@virtech.UUCP>
Date: 15 Sep 89 13:51:45 GMT
References: <1723@convex.UUCP> <1989Sep13.082607.981@twwells.com> <4157@buengc.BU.EDU>
Organization: Virtual Technologies Inc
Lines: 30

In article <4157@buengc.BU.EDU>, bph@buengc.BU.EDU (Blair P. Houghton) writes:
> In article <1738@convex.UUCP> tchrist@convex.COM (Tom Christiansen) writes:
> >Certainly.  I perhaps misrepresented my reason.  The real reason was
> >to grant or remove superuser priv's to specific users without having 
> >to constantly muck with the One True Root Password.  I personally
> >don't do it that way at my site, preferring people to log in as 
> >themselves and su.
> 
> What's the diff?

One big difference is that you do not have to pass out the single root
password to every user that needs root privileges.  This makes it 
simpler to maintain and/or control access to root privileges without
having to walk around the building giving everybody the password.

I have worked for clients that use this same functionality with a slight
bend.  They have a setuid root program that has a list of users and 
individual passwords (well protected, of course) that allow those users
to assume root privileges without having to pass out the root password.


These solutions are not used to distinguish the root account from other
0-id accounts, but just a managment tool for limiting the distribution 
of a single password.

-- 
+-----------------------------------------------------------------------+
| Conor P. Cahill     uunet!virtech!cpcahil      	703-430-9247	!
| Virtual Technologies Inc.,    P. O. Box 876,   Sterling, VA 22170     |
+-----------------------------------------------------------------------+