Using ID 0 to get ROOT privilages?

Posted on 2007-10-11
Last Modified: 2013-11-17
Due to tightening SOX restrictions, we are in need of taking away the root account password from the AIX administrators (me and another guy) and giving it to the IT manager.  However, we still need root access to do our job and can't sudo because, with the commands we'll need, we could get root access anyway.

Another guy in our IT team suggested we just add user accounts for ourselves with an ID of "0" to match root's ID and give us root-like access.  So, my question is, is this possible?  What are the downfalls of using multiple accounts on a single ID, especially if it's Root's ID?  Has anyone done this successfully?

We're using AIX 5L.

Question by:dsstao
    LVL 2

    Accepted Solution

    Question - are they taking away root access so you cannot do certain things or so there is a log of who is doing what?

    Typically, for SOX, we've only concerned ourselves with logging and providing a paper trail.  Everyone using the same account (id 0 effectively) violates that principle.

    What we do is login as ourselves and su - <mgt account> where the mgt account is to manage whatever it is this box is doing (e.g. dba, or webmaster, etc).  for super access, you can su - root.  All of this is logged and you can audit who logged in (their original account) and then to what account they su'd to do something.

    A final option is (not recommended) sudo bash.  This will give you a shell with root privileges.

    Hope this helps. -T
    LVL 40

    Expert Comment


    It is possible to create users on the server with the same uid 0, but this is as good as having root access. So, it is not recommended since you will be effectively root.

    You need to run privileged commands through sudo.

    LVL 1

    Author Comment

    ajcaruso00: to answer your question, the purpose is indeed for logging and this is what  I thought.  Even with sudo, it's possible to masquarade as root which makes logging again impossible, correct?
    LVL 2

    Assisted Solution

    Sure, you can even erase the logs.  But w/ SOX audits, the point is showing you didn't erase the logs (see - no time lapse), everything is audited, and no one can login directly as root.  If you need to "prove" what you did after su - root, then maybe:

    history -c     (clears the history)

    do what you need....

    history > /var/log/

    or something silly to show every command you entered while acting as root.

    These can be cross-correlated to the logs of when you logged in and type su -

    With SOX IT audits (and I've had many), the auditors typically don't understand what's going on in IT.  They simply want to see that if, say, on 10/10/07 the balance sheet suddenly shows an extra $100,000,000, you have sufficient documentation and reasonable processes in place that IT didn't change the number (or if they did - it can be traced back to someone and effectively, not allowing direct root access (e.g. root can't login directly) and logging in under your ID, the su - is logged.

    Does that help? -T
    LVL 1

    Author Comment

    Yep there it is - ok... thanks for the help!

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    CPU monthly average? 12 76
    ovirt 3.6 guest VM support oracle solaris 4 45
    Java core in Solaris 10 1 170
    FTP on FreeBSD server 2 70
    When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
    Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
    This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now