RSS Feed for This PostCurrent Article

Why Would You Want A Second Superuser?

By Bob Plankers on Dec 23, 2008 in Featured, Virtualization

A bunch of people seem to be reposting of the VMware KB article on adding a second superuser (root) account to VMware ESX. I have to ask:

Why would you ever want a second superuser account? Isn’t one enough trouble?

Root is basically a user with full access to the machine. And by “full” I mean “uncontrolled and unaudited.” When it comes to securing a computing environment I don’t usually want to add more accounts like this. I usually want to reduce them, and secure any accounts like that which absolutely need to remain.

My recommendation, in all cases, is to secure your root accounts well with SSH restrictions (which is the default in ESX), firewalling, and very secure passwords. If others need access to the host add an account for them, and if those people need root-level privileges for something look into how to configure sudo so that they can run just the commands they need as root.

The comments over at Leo’s Ramblings have a small discussion about how this is a bad idea, and to Leo’s credit he concurs, acknowledging that sometimes the only fix for a problem is a bad idea. In general, though, the whole “add another root account” idea goes in my category of “just because you can doesn’t mean you should.”

Related Posts

  1. Delete Accounts You Don’t Need
  2. Not Running VMware Capacity Planner as root on Linux
  3. How to Configure IPMI on a Dell PowerEdge running Red Hat Enterprise Linux
  4. Configuring and Securing IPMI on Dell PowerEdge x8xx Hardware
  5. Story of My Life

Trackback URL

  1. 11 Comment(s)

  2. By Cody Bunch on Dec 23, 2008 | Reply

    I agree “just because you can doesn’t mean you should.” However, like Leo says, sometimes the only fix, is a bad idea.

    -Cody
    http://professionalvmware.com

  3. By Roger Lund on Dec 23, 2008 | Reply

    Would it be a bad idea to make a second Super User account like this, and Disable to root account? Wouldn’t it be a better practice than allowing Root to be active, from a security side of things? Since every ESX / ESXi box has a root account, someone trying to get / gain access would try that account first in a event they gain access to the network.

    Let me know your thoughts.

    Roger L

  4. By Matt Simmons on Dec 23, 2008 | Reply

    Once, many many moons ago, probably near the peak of my danger curve, I got tired of su’ing all the time, so I just changed my uid to 0 in the passwd file. That was fun.

  5. By Reamer77 on Dec 23, 2008 | Reply

    Laughing @ Matt S.

    I know… doesn’t contribute much to the discussion, but I had to acknowledge the humor.

  6. By Andrew on Dec 24, 2008 | Reply

    Roger is correct above. The reason you want a second root account is so that you can disable “root” but not lose the ability to have a user with the same privs. Attackers now have to know the super user’s username and password, rather than just the password.

    Simply put, the reason for a second root account for security.

  7. By Bob Plankers on Dec 24, 2008 | Reply

    Thing is, it all seems pretty much like “security through obscurity” to me. If your security relies on someone not knowing that ‘root’ is now called ‘fakeout66′ it’s pretty weak. Someday someone will dump /etc/passwd through a compromised app and your security will be right back where it was.

  8. By Christoph Wegener on Dec 25, 2008 | Reply

    Just to let you know, what you name your uid 0 account doesn’t really matter from a security perspective.
    If you were a blackhat all you want is effective uid 0.
    Creating a second uid 0 account or renaming the original uid 0 account absolutely adds nothing to security! It does not even add any obscurity, as most unix security exploit don’t care about the name service switch or any other built-in name resolution functions. uid 0 stays superuser whatever you do.

    secure the passwords, clamp down your networks, patch your systems.

    Cheers.

  9. By aharden on Dec 25, 2008 | Reply

    Those who would prefer to SSH directly in as root have not yet been burned by the consequences of doing so.

    Since ESX 3.0 secured against root SSH logins, I’ve always created an shell-enabled login and su’d as required. su, UAC, and the like are all really annoying until you’ve accidentally done something you can’t undo.

  10. By Bob Plankers on Dec 26, 2008 | Reply

    @Christoph: Amen.

    @Alex: Also agreed. At least when I do something stupid via sudo I can figure out what I did afterwards. Usually it’s running something as root that should have been running as another user (and screwing up permissions as a result), but sometimes I’m less lucky.

  11. By Andrew on Dec 27, 2008 | Reply

    I’m certainly not advocating the use of a second account…I don’t even use the first root account. sudo eliminates my need to su/login as root, however, the reason you would want to have a second super user, in my opinion, is stated above.

  12. By Tim on Jan 28, 2009 | Reply

    We also hit the problem of having lots of cooks in the kitchen and no accountability.

    We solved this by creating an LDAP group called “ESX Admins” and then putting all the cooks in this group. We then gave this group Administrator rights to the whole ESX cluster.

    There are loop holes in this scheme, people could just point their VIC client directly at a host, but in general they don’t. Thus when someone brings down a host or adds storage it’s logged.

  1. 3 Trackback(s)

  2. Dec 27, 2008: It’s Just Another Layer » root == Bad
  3. Dec 28, 2008: root == Bad « H9Newser’s Blog
  4. Jan 27, 2009: Securing Your Virtual Infrastructure | VMtoday

Post a Comment

 

Please note that while in principle I don't mind promotion of a non-personal web site or blog in the fields below, any comments that are off-topic, derogatory, or spam-like will likely be removed at my discretion.