Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!munnari.oz.au!metro!nuts!cerberus!Sm From: Sm@cerberus.bhpese.oz.au (Scott Merrilees) Newsgroups: comp.unix.ultrix Subject: Re: su bug in Ultrix 4.1 still there Message-ID: <1990Dec12.024324.13947@cerberus.bhpese.oz.au> Date: 12 Dec 90 02:43:24 GMT References: <1990Dec11.045743.27648@decuac.dec.com> Distribution: comp Organization: BHP, Newcastle, Australia Lines: 22 mjr@hussar.dco.dec.com (Marcus J. Ranum) writes: > I see the idea of 'su' and ENHANCED security as mutually exclusive, >to tell you the truth. If you are running under ENHANCED mode, you should >be serious enough about security not to want anyone rooting around on the >machine as "root" unless they log in as "root" on a secure tty (in this case, >*the* secure tty). It seems that your ideas and mine are totally opposed. I think that log in as root should be avoided in just about all cases, and that the priviledged user should first log into their own account, then su to root where necessary. This provides much better tracking of root access than having someone log into root to do something, which leaves you with the problem: Who was it? Programmer A or B or C ? If you are logged into a workstation, and need to do something, and you have to root password, then you should be able to su, and do it, and su will even write a nice audit record for you. Sm -- Scott Merrilees, BHP Information Technology, Newcastle, Australia Internet: Sm@bhpese.oz.au Phone: +61 49 402132