What can root read that a regular user cannot?

Question

A contractor is asking me to provide him with root access from day one.

Skipping the obvious "no-no"... as he's arguing that in order to do a full review of the system and identifying SPOF/etc, he needs root access, what can a root user read/see that a regular user cannot (excluding the root folder and similar)?

To say it in another way: "what can't a regular user read?", "what does he need root access for?"

Please don't down vote without explaining why

related, not necessarily a dupe: https://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants — Gerald Schneider, Jan 31 '18 at 10:07
@GeraldSchneider wow! What a nightmare, that's a great post! :o - However that's not a dupe indeed, it just confirms that some people are simply unreasonable :) — No one, Jan 31 '18 at 10:12

score 0 · Answer 1 · answered Jan 31 '18 at 13:17

0

Everything. root can read and write all files and directories.

answered Jan 31 '18 at 13:17

Andrew Schulman

8,916

Oh yes, surely - but my question is more around "what can't a regular user read?", "what does he need root access for?" – No one Jan 31 '18 at 13:36
run grep -R whatever / as a regular user and you'll get a complete list with files and directories not accessible to that user. – Gerald Schneider Jan 31 '18 at 13:39
@GeraldSchneider does that mean that (from a theoretical point of view) only /proc and specific files that are owned by root (or with strict permissions) would not be readable by that user? – No one Jan 31 '18 at 13:48
root can read and write all files and directories. Except for those it can't because of things like "root squash". – Andrew Henle Jan 31 '18 at 13:53
And except for when additional access control like SELinux locks down access for root to certain contexts. There are ways root can get around this, but it s a lot more difficult than reading the file and ignoring regular file permissions. – John Mahowald Feb 01 '18 at 13:45

score 0 · Answer 2 · answered Jan 31 '18 at 13:59

as a normal user you can't

check sudoers and their privilege.
fully scan disk and volume group (you might get some information tough).
see some filesystem (like zone in solaris, or filesystem dedicated to certains database).
probe some I/O device.
some network information might be unavailable.

Note that I also dislike giving root password to stranger, yet at a time you'll have to. make a backup, just in case.

On a side note, on a day-to-day basis, I don't log as root on my station. I just use root to grow filesystem (once each other year) or check apache's log file for php error in my code (once a week).

What can root read that a regular user cannot?

2 Answers2