VMware Cloud Community
Abaronov
Enthusiast
Enthusiast
Jump to solution

root access in ESX 3.0

Disclaimer: I’m not just employed by Veeam Software. I’m the author of the free Veeam RootAccess utility.

To my surprise, the utility is becoming pretty popular…

So the question goes: What are the real (technical) reasons behind disabling root access in ESX 3 by default?

I know one reason: auditing. A few people in my Company know the root (or equivalent) credentials. This means enabling remote root would sort of encourage people to use it and do stuff like reconfig, patching and alike. I then wouldn’t know Who did What and When (3 Ws of the auditing) on my esx. Other than that are there any reasons to disable the root access?

“Sniffing” answer sounds like a non point to me: First, I don’t see the difference between using root directly and sodoing. Second, our network is switched and sniffers are no concern.

Does anyone know any good technical reason (other than auditing) to disable root shell access by default?

Thanks,

Andrei

Reply
0 Kudos
1 Solution

Accepted Solutions
_the_dude_
Enthusiast
Enthusiast
Jump to solution

I second the added security layer opinion.

Also with sudo you can have a much more fine-grained authorization scheme. In the sudoers file you can specify who can do what on your esx server with root rights.

If you let people log in as root, then they can do anything on your system (including changing the password for root, which would lock others using that account out...).

Check out the sudo man page for all options!

View solution in original post

Reply
0 Kudos
3 Replies
soleblazer
Hot Shot
Hot Shot
Jump to solution

It is an added layer of security. If its disabled there is no chance of a script kiddie running a dictionary attack, someone logging in that learned the password, etc.

Its much harder to make a mistake when you always have to use sudo or su to make a root level change. There are really no good reasons to log into a system as root rather than a normal user level account.

_the_dude_
Enthusiast
Enthusiast
Jump to solution

I second the added security layer opinion.

Also with sudo you can have a much more fine-grained authorization scheme. In the sudoers file you can specify who can do what on your esx server with root rights.

If you let people log in as root, then they can do anything on your system (including changing the password for root, which would lock others using that account out...).

Check out the sudo man page for all options!

Reply
0 Kudos
Abaronov
Enthusiast
Enthusiast
Jump to solution

Thanks,

I think the sudo point is good.

Andrei

Reply
0 Kudos