Veritas-bu

[Veritas-bu] login as unix user

2006-01-26 15:09:36
Subject: [Veritas-bu] login as unix user
From: Nicholas.Snyder AT ngc DOT com (Snyder, Nicholas A.)
Date: Thu, 26 Jan 2006 15:09:36 -0500
One last rant on sudo...accountability.  
It's a lot easier to tell who actually did a sudo <command> versus root
issuing <command>.

-----Original Message-----
From: veritas-bu-admin AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-admin AT mailman.eng.auburn DOT edu] On Behalf Of Jeff
Lightner
Sent: Thursday, January 26, 2006 2:26 PM
To: David Rock; veritas-bu AT mailman.eng.auburn DOT edu
Subject: RE: [Veritas-bu] login as unix user

Hasn't been an issue for me - only one place I worked at had separate
backup admins.  Everywhere else the Unix Admins were also the Backup
Admins.

The place where backup admins were separate was the place that made the
most extensive use of sudo and like I said it didn't have root shell for
them or anyone other than the Unix admins.   

Anyway the idea wasn't to avoid all root access but to restrict it to
only those commands necessary.   Anything that can be scripted can be
made into a sudo command.  The command runs as root but doesn't give
access to root.

Personally I've never much cared for "we have other holes so why fix
any" approach to security.   Even if there are back door ways to get
root the idea of security is to harden the target.  Its much like
putting a lock on your door and having an alarm system in your house.
It may not prevent all possible break-ins but it will at least limit the
likelihood.

-----Original Message-----
From: veritas-bu-admin AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-admin AT mailman.eng.auburn DOT edu] On Behalf Of David Rock
Sent: Thursday, January 26, 2006 11:07 AM
To: veritas-bu AT mailman.eng.auburn DOT edu
Subject: Re: [Veritas-bu] login as unix user

* Paul Keating <pkeating AT bank-banque-canada DOT ca> [2006-01-26 10:32]:
> In other words, if you want root access, you can give it to yourself.
> :o)

Or at the very least, make _sure_ management understands that you are
not responsible for maintaining the environment at that point.
Something goes wrong with a tape drive or the server needs to be
rebooted, _they_ better be willing to get someone in place at 2am to
take care of it because you can't.

--
David Rock
david AT graniteweb DOT com
_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu


<Prev in Thread] Current Thread [Next in Thread>