-3

A contractor is asking me to provide him with root access from day one.

Skipping the obvious "no-no"... as he's arguing that in order to do a full review of the system and identifying SPOF/etc, he needs root access, what can a root user read/see that a regular user cannot (excluding the root folder and similar)?

To say it in another way: "what can't a regular user read?", "what does he need root access for?"

Please don't down vote without explaining why

No one
  • 1
  • 1
  • 1
    related, not necessarily a dupe: https://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants – Gerald Schneider Jan 31 '18 at 10:07
  • @GeraldSchneider wow! What a nightmare, that's a great post! :o - However that's not a dupe indeed, it just confirms that some people are simply unreasonable :) – No one Jan 31 '18 at 10:12

2 Answers2

0

Everything. root can read and write all files and directories.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
  • Oh yes, surely - but my question is more around "what can't a regular user read?", "what does he need root access for?" – No one Jan 31 '18 at 13:36
  • run `grep -R whatever /` as a regular user and you'll get a complete list with files and directories not accessible to that user. – Gerald Schneider Jan 31 '18 at 13:39
  • @GeraldSchneider does that mean that (from a theoretical point of view) only /proc and specific files that are owned by root (or with strict permissions) would not be readable by that user? – No one Jan 31 '18 at 13:48
  • *root can read and write all files and directories.* [Except for those it can't because of things like "root squash".](https://en.wikipedia.org/wiki/Unix_security#Root_squash) – Andrew Henle Jan 31 '18 at 13:53
  • And except for when additional access control like SELinux locks down access for root to certain contexts. There are ways root can get around this, but it s a lot more difficult than reading the file and ignoring regular file permissions. – John Mahowald Feb 01 '18 at 13:45
0

as a normal user you can't

  • check sudoers and their privilege.
  • fully scan disk and volume group (you might get some information tough).
  • see some filesystem (like zone in solaris, or filesystem dedicated to certains database).
  • probe some I/O device.
  • some network information might be unavailable.

Note that I also dislike giving root password to stranger, yet at a time you'll have to. make a backup, just in case.

On a side note, on a day-to-day basis, I don't log as root on my station. I just use root to grow filesystem (once each other year) or check apache's log file for php error in my code (once a week).

Archemar
  • 1,341
  • 11
  • 19