The user ID is thought to be unique. As you've said, ID 0 is normally given to root. There is no need to make a user a second root. You could add a user to as many groups as you wishes. The groups are thought for exactly that purpose. Looks for groups named admin, staff, or even root for more privileges, but be aware of security issues if providing groups with such a status.

You should log in as a normal user also you've a root account, too. If you need to do anything as root you could either make you root locally until an exit by
> su
password_of_root
or else temporarily as
> sudo command_that_requires_root_user
password_of_root (some unixes use the user password here)
if you're enabled to use sudo. Sudo is normally active for some time (e.g. 5 minutes), so that the next sudo command in that time interval may not request the password again.

In general: Never change the user ID by hand. Give users privileges by groups if needed.

Quote:

Original post by johnnyBravo Like are there any issues about this that is covered somewhere, eg how to prevent people from doing such?

Don't give them the root password!!

Yeah, definitely don't give the user a root password. Simply put them in the sudoers file (should be in /etc if I am not mistaken).

Ironically, I removed all access to su on my box, but I can still do:

sudo su -

To get a root shell. Ain't that the darndest thing.

IIRC by adding a user to the admin group, you'll be able to give them a partial set of privileges, rather than all-out root access.

Quote:

I removed all access to su on my box

How did you do that, just change the file's permissions?

Quote:

Don't give them the root password!!

Once someones logged in, can't they then brute force the root password?

Thanks

[Edited by - johnnyBravo on February 5, 2006 10:18:02 PM]

Quote:

Once someones logged in, can't they then brute force the root password?

It is possible to get programs that try to brute force passwords by using all kinds of methods like trying the most common passwords, to using dictionaries and so on.
I have heared of successful use of these programs.
Some guys at school cracked our teachers password in less that 2 days rofl.
They were decent enough to tell him about it though...
Note that by using a good password makes this process much harder and time consuming.

One simple security scheme used on unix/linux to make this even more time consuming, is that every time you type the wrong password, there is a delay (about 2 sec usually) before you can try again!
So if the brute force program have to try 5 million passwords (average) to solve a password, it will now have to wait 2 sec between each try. That is ~2777 hours! By that time, as an administrator, you should have noticed the activity, or even rebooted a few times ^^
If the password is poorly constructed, It can be brute forced in just a few tries.
Bad passwords is typically words found in dictionaries, or common passwords like

gandalf
gollum
<your name>
...


[Edited by - pulpfist on February 5, 2006 11:59:08 PM]

Solaris also allows finer-grained access control.

Another thing to remeber is that if you give a script-kiddie access to your floppy/cd drive, they can easily whipe out your entire system in a minute using a rescue disk. I dont know any good software guards against this...

Quote:

Original post by pulpfist Quote: Once someones logged in, can't they then brute force the root password? It is possible to get programs that try to brute force passwords by using all kinds of methods like trying the most common passwords, to using dictionaries and so on. I have heared of successful use of these programs. Some guys at school cracked our teachers password in less that 2 days rofl. They were decent enough to tell him about it though...

Ha, when I was in school we had a guy who had the teacher's password, it was silly like the same as their name. He showed me everyones projects etc.

Quote:

Original post by pulpfist Note that by using a good password makes this process much harder and time consuming. One simple security scheme used on unix/linux to make this even more time consuming, is that every time you type the wrong password, there is a delay (about 2 sec usually) before you can try again!

Sounds like a great idea. I'll look into that!

Quote:

Another thing to remeber is that if you give a script-kiddie access to your floppy/cd drive, they can easily whipe out your entire system in a minute using a rescue disk. I dont know any good software guards against this...

Oh I don't have to worry about that, its just a home unix machine, but always online. Just so I can use it from anywhere.

I guess you could remove the cdroms/floppies, some how disable usb drives, and lock the box together you might be safe :)

Quote:

Original post by igni ferroque Solaris also allows finer-grained access control.

Thanks, I reading it now.

Quote:

One simple security scheme used on unix/linux to make this even more time consuming, is that every time you type the wrong password, there is a delay (about 2 sec usually) before you can try again! Sounds like a great idea. I'll look into that!

Yep ^^
Actually it is probably default behavior on your system too.
Try it with the su command and you'll see.

Cheers

Ah it is default.