Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Veritas-bu] Non-root administration

2008-07-02 13:49:26
Subject: Re: [Veritas-bu] Non-root administration
From: "Ed Wilts" <ewilts AT ewilts DOT org>
To: "Curtis Preston" <cpreston AT glasshouse DOT com>
Date: Wed, 2 Jul 2008 12:30:08 -0500
On Wed, Jul 2, 2008 at 12:20 PM, Curtis Preston <cpreston AT glasshouse DOT com> wrote:

I'm afraid I'm going to have to respectfully disagree with you, there, Ed.  I trust a new backup admin in that I trust him not to circumvent the security that I have set up.  (OK, Trust but verify.)  That's not the same thing as saying "Well, he's the backup guy, so he can easily get root if he's a black hat, so we might as well give him root."

 

The backup admin is often a junior person, and handing them the complete keys to the kingdom just because it makes his/her job easier isn't something I'm interested in doing.


Around here, we have 3 key people in charge of backups and each of us has been with the organization for over 10 years.  You're probably right in that it is often a junior person, but then most organizations are often wrong - backups are such a critical part of operations that assigning them to a junior person is very shortsighted.  I saw a recent presentation going over restore workflows.  It should surprise you, but I'll bet it doesn't, that a very common restore workflow is to submit a request to add the client to a new backup schedule so you can restore it the next time you need to...
 

So what's the official non-root admin answer for 6.5?  I didn't realize the non-root-admin script was gone.

Symantec has this whole access control/security thing (VxSS?), but every time it gets brought up on this list, people just say how much it sucks.  I haven't yet read a single post from anybody who's implemented it and been satisfied with it.
 
It's a really tough problem...

My suggestion that you form a good partnership with your admin group still stands.

   .../Ed

--
Ed Wilts, Mounds View, MN, USA
RHCE, BCFP, BCSD, SCSP, SCSE
mailto:ewilts AT ewilts DOT org

If I've helped you, please make a donation to my favorite charity at http://firstgiving.com/edwilts 
_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Veritas-bu] Non-root administration, Curtis Preston
Next by Date:  Re: [Veritas-bu] Non-root administration, Jeff Lightner
Previous by Thread:  Re: [Veritas-bu] Non-root administration, Curtis Preston
Next by Thread:  Re: [Veritas-bu] Non-root administration, Jeff Lightner
Indexes:  [Date] [Thread] [Top] [All Lists]