restricting root access

I'm the admin in a shop in which my developers have and use the root account, all UNIX newbies.

I've been unable to convince management myself that this is an unacceptable practice.

I've looked in a couple books I have and can't find any chapters, discussions, etc that make the argument that root access must be restricted.
I've also done a GOOGLE search but my search criteria must have been flawed, nothing came back that would help me.

Can anyone point me to articles or documentation that would serve to illustrate this to management?

Thanks in advance....

  • here's one, and another from a related page. Lots of stuff about restricting root, not leaving root consoles unattended, etc.
  • You might point out to them that MacOS X disables root completely for security reasons.
  • O'reilly's Practical UNIX and Internet Security says "Avoid use of the root account for routine activities that can be done under a plain user ID." In fact, it has a chapter related to the subject.
  • wikipedia: "If access to this account is gained by an unwanted user, this results in a complete breach of the system."
  • IBM's AIX Security Precautions say to "Codify rules and policies for operating as the "super user""
  • bellevuelinux's definition of root includes lots of scary things like "The root user is the most privileged user on the system and has absolute power over it (i.e., complete access to all files and commands). Among root's powers are the ability to modify the system in any way desired and to grant and revoke any permissions (i.e., the ability to access specific files and directories) for any other users, including any of those by default reserved for root."

I just googled "unix root account security". Go nuts. :slight_smile:

Thanks a lot!!