How many root passwords should you have?

November 5, 2008

There's a simple answer to the question of how many root passwords you should have; clearly, you should have a separate root password for each system. This answer is, shall we say, naive in most situations.

We can see why by asking the traditional security question of what the actual risks are of using the same root password on different systems, which is that an attacker who gets your root password from one system can then immediately compromise another. So the first situation where it is mostly or entirely pointless to have separate root passwords is where an attacker could compromise the other machine even without the root password.

The next situation is where blocking the attacker getting root on other machines isn't actually protecting anything meaningful, for example if you use ordinary NFS and the attacker gets root on a machine with enough NFS mount permissions. The attacker hardly needs to get root on any other machine, because they already have full access to user files that are visible from their machine, which in many cases is 'all of them'.

(Sure, NFS doesn't give them access as root, but this is hardly an obstacle; they can use root powers to become the user's UID and then go to town.)

I could go on, but there's a more general principle here: you don't want to think about machines, you want to think about security domains. There is very little point in using different root passwords on machines in the same security domain, and even if you have multiple security domains you may still want to use the same root password across them, because there are some risks to having lots of passwords.

(And you want to think realistically about what is and isn't in each of your security domains. You may conclude that things are intertwined enough that you only really have one security domain, although you could technically argue that you have several.)


Comments on this page:

From 71.65.56.124 at 2008-11-06 07:37:13:

We have "classes" of machines, that you could consider as a domain, in the loosest sense.

Essentially, there are machines that the Chief Client Services Officer needs to have access to via root, and there's everything else. Occasionally I'll give a machine to the quantitative analysts to do work on and assign them another root password.

We've got a 6 month rotation on root passwords, and we change them whenever someone leaves who has known the password.

Good article!

-Matt Simmons
http://standalone-sysadmin.blogspot.com

From 64.102.57.229 at 2008-11-06 11:03:42:

You bring up some interesting points.

One related point I'd like to bring up about the problems with having lots of passwords is password management. Depending on budget and requirements, this could make it easier to change or retrieve important passwords. I've mostly used something simple like a Password Safe file saved on network storage that is regularly backed up. From there, you can use a long stringed randomized password, and just copy/paste it when needed.

I also know folks that are evaluating more complicated products and procedures like Cyber-Ark (http://www.cyber-ark.com/index.asp) and e-DMZ Password Auto Repository (http://www.e-dmzsecurity.com/).

- Reamer77

From 83.145.208.36 at 2008-11-08 04:45:40:

Perhaps this line of thought could be extended to cover "security domains" within a single machine that is part of larger security domain. I obviously refer to the effective and/or less effective mandatory access control solutions that have had a long-standing goal of decomposing the single and almighty root into multiple superusers.

I have actually few times 'partly' administered machines with 'multiple roots'; perhaps it was bureaucracy, but the policy required that the higher-level staff managed kernels and such, whereas others had less extensive tasks (managing networks, Apache, etc.).Now while I retain myself from saying anything about the potential benefits and pitfalls of such schemes, the experience was not entirely negative. (And I should add: I would certainly never want to be the person that setups such systems in the first place.)

In this context one might ask: is the jargon that involves such terms as Multi-Level Security (MLS) and Biba model a relic from the era of mainframes? Given that, rhetorically, a compromise needs only a boss who demands root access, uses Word documents and browses web.

j.

Written on 05 November 2008.
« An issue with quotas on ZFS pools
What the timestamps in Ubuntu kernel messages mean »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Nov 5 23:27:38 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.