SUMMARY: #root instead of root owns key processes and files

From: Stuart, Reggie (GXS, Maxim) (
Date: Wed Sep 13 2000 - 14:56:36 CDT

The short answer is, removing the #root entry will not cause any problems
(or at least not crash the box, since that part is done). No reboot needed.
Got lot's of recommendation on what to do to the bum (not me!!) that set
this up. I will initiate myself to checking the archive first, soon as I
figure out where it is). The details and misc comments are below (best is

No comments allowed in passwd file.
[jason@panix, many others]

Thanks to all who pointed out that

ps -ef

keys off of uid, just like files do, so theoretically, I could start a
process, delete that user, and then have mayhem on the process table...
will test this shortly. The mapping to the name is done on the fly every
time an "ls" or "ps" (or whatever els) is run.
[Thanks to: Dave LaPorte, Steve Gauthier, Alun

Since there were two root entries, it is important to verify the passwords
are the same in /etc/shadow.
[Thanks to Raman C for helping me avoid potentially serious sun burn!!]

The responses often forked with criticism of using ksh for root, and for
sticking with the default /sbin/sh. Most did not explain why, but here are
a few who did:

It seems the ksh binary is linked to /usr, so if you have to fsck /usr/ at
boot time, you are hosed. [xlint point by Todd Herr & Kent Perrier].

If you must be use ksh as root, you should create a user id called kroot.
[Thanks to John Julian, and at least one other person whose e.mail I deleted

Good advice from Matthew Stier on implementing sudo, and removing the
octothorp (etymology, please?) from the passwd file. This is a development
environment with the root passwds posted on a wall. Sudo would not fit into
this culture well... I checked in my security consciousness in at the
guard's desk. It should help them immensely.

Nasser Manesh wrote out most of the goodies above. (Thanks a bunch!!)

And finally, what should I do the admin when found, his excellency RW:

> Any thoughts?

Yeah, if you killed the idiot who did this, you'd probably be out in 20
years. Heck, if you really got a jury of your peers (other admins), you'd
get off with "Justifiable Homicide". If you did it yourself, and aren't
owning up to it, may you roast in hell ...

Get rid of the comment, DON'T change root's shell, and all will return to
normal. The UID is what's used to define ownership, and the utilities look
up the owner in /etc/passwd when printing that information. So, if you fix
the "root" entry, you should be back in business.


Thanks a bunch!!


U BEFORE POSTING please READ the FAQ located at
. and the list POLICY statement located at
A To submit questions/summaries to this list send your email message to:
A To unsubscribe from this list please send an email message to:
E and in the BODY type:
R unsubscribe sun-managers
S Or
. unsubscribe sun-managers original@subscription.address
L To view an archive of this list please visit:

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:16 CDT