Once again, and maybe you will say that you have heard about this but,
I have to say it: THIS IS A GREAT BUNCH OF PEOPLE!
First of all thanks to:
Eli Burke
Alejandro Arturo Barrera Sanchez
Christophe Cole
Bob Sloan
Mark E. Glidden
Richard Eisenman
Cliff Krieger
Tom Rioux
Stephane Bortzmeyer
Ezra Peisach
Steven Young
Craig I. Hagan
Huw Davis
Jon Nielsen
Dave Sill
and the others that will arrive later
The original question was:
---------------------------
Now days, with the Unix servers and the Client-Server applications sometimes
is not clear who should have access to the root account. The Networks people
want to have it. The Software Developers also (because they need to start
and stop the Database Engine). The computers operator also has to use it.
And of course, the system manager needs it.
When you talk about 100 servers, 30,000 client PC's and a computer
department of 1,700 people the root password becomes a nightmare.
So how do you handle this?, What are your recomendations?.
The Unix's boxes of course are not all DU systems, there are
HP-UX, AIXs, Suns, etc.
The answers:
------------
Get sudo (15 of 17 responses). Where?:
http://www.courtesan.com/courtesan/products/sudo/sudo.html
ftp.cs.colorado.edu directory /pub/sysadmin/utilities/
ftp://ftp.cc.utexas.edu/source.doc/sa-book
Use stuid (3 of 17 responses)
Some other recomendations (they are all valuable so I quote them):
-----------------------------------------------------------------
Cliff Krieger (ckrieger_at_latrade.com) says:
------------------------------------------
First, the Developers: Never EVER, EVER give the developers the root
password!!!!!!!!!!!!!!!!!!!!!!! If they need to start the database,
have them write an application that you can setuid to root. Or use sudo
or some such.
Second, the network people: There are only two reasons they could need
access to the root account. One, to change the IP address...not very
common. Two, to solve routing problems. I would encourage them to
solve routing problems with hardware routes, and just give you one
default static route. Or perhaps run routed or gated if you have to.
Third the oeprator: How much do they do that actually requires root
privledges? Backups? Put them in cron, or use setuid or sudo. Or
perhaps you could use NSR and give them just hte necessary permissions
in that application. Other tasks, I think you could come up with a way
of giving them access to those tasks that need doing.
Finally, what I would do is write the current root password on a piece
of paper. Fold it several times and put it in a sealed envelope. Put
this envelope in secure place that the people that might need access to
can get to. Perhaps in the computer room. Let people know that it is
only for emergencies when they can not reach one of the system
administrators. Tell them there had better be a message on your
answering machine. And change the password immediatly after that one
time use.
Other thoughts on this. Create a second account that has root
privledges and have that password in the envvelope so that you don't
have to change your password every time. Also, sign your name across
the seal on the envelope so that you know if it has been opened. They
also can not open it and put it in a new envelope to fool you. Finally,
check the envelope every day.
Stephane Bortzmeyer (bortzmeyer_at_pasteur.fr) says:
-------------------------------------------------
> Now days, with the Unix servers and the Client-Server applications sometimes
> is not clear who should have access to the root account.
Nobody (this is not a joke, see later). Shared root is a no-no.
> The Networks people
> want to have it. The Software Developers also (because they need to start
> and stop the Database Engine).
What about setuid? Groups? Do you use them?
> The computers operator also has to use it.
> And of course, the system manager needs it.
Not even him/her.
> So how do you handle this?, What are your recomendations?.
On all systems I manage, I use setuid and groups to handle strict
authority delegation. For general root delegation, I use sudo. That way:
- people only know one password, their,
- everything is logged. This is a mandatory feature on a multi-manager
machine,
- people behave better when using their account rather than a faceless
one such as root.
Craig I Hagan (hagan_at_cih.com) says:
-----------------------------------
the real answer is that nobody or no more than three people
should have root (not counting a safe, which should
have it written down).
Everyone else should use either
* restricted operating shells
* sudo
* something akin to the above
this will assist you in generating an audit trail.
With that many people, i would recommend that you
keep an eye out for password sniffers, and consider
something like OPIE for root password.
Huw Davies (H.Davies_at_latrobe.edu.au) says:
------------------------------------------
We issue CryptoCards to the members of staff who require root access. The
users log in to the machine using their own account and then run a program
that uses the one-time password generated by the CryptoCard to log in as root.
If you haven't seen one, a CryptoCard is a credit card sized device with a
small keyboard. You enter your personal pin, and then when you log in as
root you are challenged with a six digit number. You enter this on the
CryptoCard which generates an eight digit reply, which is the one-time password.
Dave Sill (de5_at_sws5.ctd.ornl.gov) says:
---------------------------------------
We give people that need free root access their own root account. Just
copy the root password/shadow entries and change the username (e.g.,
"joe"'s root account might be called "joesu") and password (either to
joe's password or a new password only joe knows). Only the sysadmin
knows the password of the "root" account. Make sure "root" is the
first listed uid 0 entry or root-owned files will look like they're
owned by joesu, for example.
Even better is to use something like priv or sudo to give people
limited access to certain commands as root.
Received on Wed Dec 18 1996 - 00:17:40 NZDT