Difference between revisions of "Root access"

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search
(Security implications)
(Enable root access)
Line 8: Line 8:
  
 
== Enable root access ==
 
== Enable root access ==
To enable root access, set the root user's password by running the CLI command (as user '''admin''')
+
To enable root access, set the root user's password by running the [[configure]] command (as user '''admin''')
 
  admin@fw1.halon.se# set system { authentication { root-password "secret-and-difficult-password"
 
  admin@fw1.halon.se# set system { authentication { root-password "secret-and-difficult-password"

Revision as of 10:00, 11 April 2012

The only way to directly execute UNIX commands, from a shell such as sh, is to enable login of the root user.

Security implications

Because of the inherit problems of local (shell) access, normal H/OS users are only allowed to interact with H/OS via the SOAP API. Even when logged in using secure shell (SSH), users are only allowed to run the cli command, which in itself run other commands via the SOAP API. In this way, the risks of normal users compromising system integrity is minimized. In other words, with root access disabled, the H/OS operating system image should be unmodified, and the system should perform identical to what is instructed by the configuration file.

The root user

The root user is UNIX's default super user, with user ID number 0. Throughout the system, it has full privileges to do everything. Only the user with username "admin" is allowed to activate root access. Thus, users that are not trusted with root access, should not be given access to the admin user. Further, the passwords of the admin and root users should be very long, in order to minimize the risk of other users cracking the hashed, salted passwords.

Enable root access

To enable root access, set the root user's password by running the configure command (as user admin)

admin@fw1.halon.se# set system { authentication { root-password "secret-and-difficult-password"