[effie]

> I have more than one interactive user account on some of them. I put these accounts to the wheel group, to avoid ever using a root password.

Why have multiple different unix users if all have the same power of the root user? They aren't isolated from each other, they aren't less powerful than root. So why not just use the already existing single root account?

[paulddraper]

First, some software literally refuses to run as uid 0.

Second, it can still be useful for bookkeeping.

[geoelectric]

Seems like it’d actually decrease security as now there are several different “root” logins that could be compromised.

Though I suppose, with further thought, it’s not significantly worse than having them in sudoers, in that particular respect.

[effie]

That's why the same question really applies to standard but insane practice of using sudo to get root. There is no security difference between root and lowuser that can sudo into root.

Sudoing into root from lowuser account is in some scenarios potentially more dangerous than just using both accounts separately, as the user who uses root regularly/very often gets accustomed to the fact his commands are powerful and can screw his system, so mistakes almost never happen. While sudoing all the time creates a false sense of security and the user is more likely to run harmful command with sudo.

[zeroimpl]

Yeah I don’t really understand why when I ssh into a VM in the cloud I have to first connect as a static dummy username like ec2-user then sudo to root.

[effie]

Yeah. From http://ec2-downloads.s3.amazonaws.com/AmazonLinuxAMIUserGuid... :

> To prevent remote root exploits, the Amazon Linux AMI does not allow remote root login via SSH[...] By default, the only account that can log in remotely via SSH is ec2-user. The ec2-user has sudo privileges.

Can someone please explain how this makes any sense for better security. It seems to be just a security theater.