A.6 Chapter 5: Users, Groups, and the Superuser

  • Ensure that no two regular users are assigned or share the same account. Never give any users the same UID.

  • Think about how you can assign group IDs to promote appropriate sharing and protection without sharing accounts.

  • Avoid use of the root account for routine activities that can be done under a plain user ID. Disable root logins.

  • Think of how to protect especially sensitive files in the event that the root account is compromised. This protection includes use of removable media and encryption.

  • Restrict access to the /bin/su command, or restrict the ability to su to user root. Consider using sudo instead.

  • /bin/su to the user's ID when investigating problem reports rather than exploring as user root. Always give the full pathname when using su.

  • Scan the files /var/log/messages, /var/adm/sulog, and other appropriate log files on a regular basis for bad su attempts.

  • If your system supports kernel security levels or capabilities, consider using them to restrict what root can do when the system is running.

    Part VI: Appendixes