The last time I looked into individual sudo rule access to
NetBackup I came up with something on the order of 450-odd sudo rules....for a
small Master.
Remember, we're talking about full read/write/execute/create/delete
access to the vast majority of the NetBackup directories. This includes the
images directories, which I wouldn't let our SA's within 10 feet of, as good as
they are. =)
I'll
totally agree with the "can of worms" statement but from the flip-side. Your
SA's do not know what they're going to get into if they try to restrict full
sudo access from the higher-end backup administrators (I'd tend to agree with
some limits on root access for Skippy the Backup Intern).
The
SA's have to figure out how to provide that full read/write/execute/create
access to every directory in /usr/openv through individual sudo rules, or they
spend however many weeks creating and debugging a wrapper script that attempts
to do exactly the same thing which will probably never allow everything you
need to do (cat, tail, head, touch, mkdir, vi, mv, dos2unix, etc).
Plus
patching and initial installs of course. Sure, the SA's could do those for you I
imagine but probably in twice the time it'd take someone familiar with the
process. And what if it fails or does a partial completion ? Right back to
needing root access to fix...
If the
SA's still kick up a fuss, you can always send your backup admins to the basic
training for OS administrators - that would cut out the argument about them not
knowing what they're doing. =) If it's a trust issue then you've hired the wrong
backup admins.
- John Nardello, full time NetBackup Admin, ex-Solaris
Admin.
Well – I’ll agree with
Curtis.
In large organizations
unfortunately the backup tool isn’t the only one that will let you back door
into root. However, one has to have policies in place that make it clear
that administrators of these tools (if they are not also the System Admins)
aren’t allowed to do things outside the scope of the tool.
Handing people direct
root login implies they have equal rights to a system as the SAs and my
experience at my current job has driven home what horrible can of worms that
assumption is and how hard it is to overcome it.
Making folks request
sudo access to various commands makes it clear they are being given limited
access and more difficult for them to say “I didn’t know that wasn’t allowed”
after they do something untoward.
It won’t get rid of
malicious intent but it does help to tamp down on “experimentation” without
change control.
From:
veritas-bu-bounces AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Ed Wilts Sent: Wednesday, July 02, 2008 1:30
PM To: Curtis
Preston Cc: Esson, Paul;
veritas-bu AT mailman.eng.auburn DOT edu Subject: Re: [Veritas-bu] Non-root
administration
On Wed, Jul 2, 2008 at 12:20 PM, Curtis Preston <cpreston AT glasshouse DOT com>
wrote:
I'm afraid I'm going
to have to respectfully disagree with you, there, Ed. I trust a new
backup admin in that I trust him not to circumvent the security that I have
set up. (OK, Trust but verify.) That's not the same thing as
saying "Well, he's the backup guy, so he can easily get root if he's a black
hat, so we might as well give him root."
The backup admin is
often a junior person, and handing them the complete keys to the kingdom just
because it makes his/her job easier isn't something I'm interested in
doing.
Around here, we have 3 key people in charge of
backups and each of us has been with the organization for over 10 years.
You're probably right in that it is often a junior person, but then most
organizations are often wrong - backups are such a critical part of operations
that assigning them to a junior person is very shortsighted. I saw a
recent presentation going over restore workflows. It should surprise you,
but I'll bet it doesn't, that a very common restore workflow is to submit a
request to add the client to a new backup schedule so you can restore it the
next time you need to...
So what's the
official non-root admin answer for 6.5? I didn't realize the
non-root-admin script was gone.
Symantec has this whole access control/security thing
(VxSS?), but every time it gets brought up on this list, people just say how
much it sucks. I haven't yet read a single post from anybody who's
implemented it and been satisfied with it. It's a really tough
problem...
My suggestion that you form a good partnership with
your admin group still stands.
.../Ed
--
Ed Wilts, Mounds View, MN, USA RHCE, BCFP, BCSD, SCSP, SCSE mailto:ewilts AT ewilts DOT org
If I've helped you,
please make a donation to my favorite charity at http://firstgiving.com/edwilts
---------------------------------- CONFIDENTIALITY NOTICE: This e-mail
may contain privileged or confidential information and is for the sole use of
the intended recipient(s). If you are not the intended recipient, any
disclosure, copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you have
received the message in error, and delete it. Thank
you. ----------------------------------
|