The first rule for root accounts is: if you have one, don't use it unless you absolutely have to. The second rule is: create as few root accounts on your machine as are necessary to do the job. Wherever possible, find an alternative way to allow groups of users to do system administration tasks, when necessary, without allocating root logins. This can most easily be done with user groups and appropriate permission bits for group access.
As an example of the care you need to take when logged in as root, consider the following. When you are logged in as an ordinary user, there is a shell environment variable called PATH which contains a colon-separated list of directories which will be searched, in the order given, to find the executable file associated with any command name you try to run.
Typically, the contents of PATH might be:
$ echo $PATH .:/usr/local/bin:/bin:/usr/bin:/usr/X11/bin
In the example, five directories are specified in the search path beginning with the current directory (.). Having the current directory first is quite convenient because of the possibility that you might inadvertently create a program file with the same name as some unknown system command. If this happens, then, when you try to run your new command from the current directory, it will be found before the system command with the same name because the current directory is searched first. Without the current directory search, the system command will be executed instead, and cause some degree of confusion. A favorite version of this occurs for me when I am writing simple little programs to test out new ideas, because I invariably want to call the new program test which, of course, is also a standard system command. Unfortunately, if you run the system version of test without any parameters, it does absolutely nothing visible and just returns with a shell prompt, convincing me that my trivial test program doesn't work...
Having said that it is useful to start your PATH variable with the current directory, this action is definitely an error in the case of your root login. For maximum security, the current directory should not appear at all in root's PATH. To see why this is so consider the following possibility. One of your users calls you over to the terminal to ask you to perform a system administrator function. You go over to the terminal and using the su command change user to root and execute the required system commands, as per your user's request. You then log off as root and carry on with what you were doing previously. What you didn't suspect, however, was that your user was really a hacker and took the opportunity to create a doctored version of the command you were going to run as root, which was stored in the user's current directory.
If, as root, your PATH starts with the current directory, then when you perform your task for the user, the user's doctored version of your command will be run instead of the real one. Running the users command as root will give it permission to do anything. A clever hacker will get the doctored program to create a root owned SUID shell somewhere safe and then go on to execute the real program so that you will be none the wiser... Beware!
There are many more security issues than I have space to look at here, but the things you have seen in this chapter should start you thinking in the right direction.