Assigning ROOT a password

[Derek Broughton]

Michael Leone wrote:

> On Mon, Apr 28, 2008 at 10:14 AM, Derek Broughton <news at pointerstop.ca>
> wrote:
> 
>>  A shared secret is not a secret.  If more than one person knows root's
>>  password, assume it's not a secret.
> 
> In many companies, certainly, more than one person knows the password.
> What if the only person who knows the password dies?

That's a perfect example.  If more than one person knows the password,
it's - by definition - not a secret.  If one person knows, it's still a
secret.  If I have sudo privilege, or if I have physical access to the
machine, I can still reset the root password if I need to.  otoh, if I
don't even have a root password, I wouldn't need to.

> In some larger 
> companies, the password is recorded on paper in a safe, and only
> accessed by special written request. And then changed, I'm told.

We did that when I worked for a bank.  What a waste of effort.

>>  I administer a CentOS system that has a root account.  I don't know the
>>  root password; since I've never had physical access to the system, I
>>  probably couldn't ssh in as root anyway; and I've never had any trouble
>>  administering it via sudo.
> 
> Others do things differently. BTW, were you an employee of the company
> who owned the CentOS system? Some places I know won't give the
> password to consultants (preferring to use sudo, as you do - hey, that
> rhymes! :-)),

It does?  I always assumed - despite the fact that the "do" in sudo probably
really is "do", that sudo rhymes with pseudo (as in "pseudo-root" access).

> but will give it to the head administrator who is an employee.

That's approximately the situation I'm in.  I'm associated with the
non-profit that actually owns the machine, but it's installed in a
university computer room and the university controls physical and root
access.
-- 
derek