S 2.33 Division of administrator roles under Unix

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

In most Unix systems, there is only one administrator role (the superuser called root with the user ID (UID) 0). Persons with access to this role have full control over the system. In particular, they can read, modify and delete any file, irrespective of access rights.

The superuser password must only be known to the administrators. Disclosure of that password is to be confined to the cases defined in the pertinent regulations, and must be documented. The super-user log-in root can be additionally protected by applying the two-person rule, e.g. by organisational measures such as a split password. In that case, the password must have an extended minimum length (12 characters or more). It must be ensured that the password, in its full minimum length, will be checked by the system.

For a number of Unix systems, division of responsibilities can be achieved by making use of existing administrator roles. In such cases, those roles must be assumed by different persons.

A number of administration activities can also be carried out without access to the root log-in. Where administrators with such special functions exist, use should be made of this option. Especially in those cases where, for large systems, administration functions have to be assigned to several persons, the risks involved can be reduced by an appropriate division of responsibilities. This can be done in two ways:

• Introduction of administrative log-ins. While these have the UID 0, only one program will be started during log-in, with which the administrative function can be executed and which ends with a log-out. Examples: designation of new users, mounting of a drive. For Unix V.4, the administrative log-in names setup, sysadm, powerdown, checkfsys, mountfsys and umountfsys, for instance, may be established with programs of identical names.

• Use of log-ins without the UID 0: These log-in names (sys, bin, adm, uucp, nuucp, daemon and lp) are owners of files and programs which are crucial for the functionality of the system and thus are afforded particular protection. In most Unix systems, they have been predetermined for the administration of the pertinent services.

To determine which log-ins have Administrator rights, auxiliary programs such as USEIT, cops, tiger should be used regularly to search for log-ins which contain UID 0 in the password file.

Additional controls:

• To which persons is the super user password known?

• Have administrator roles been divided up?

• Which log-ins have the UID 0?

• Are there any log-ins with the UID 0 and shell access?