Re: shared root account
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha J?ykk? wrote:
> I have a bit of a situation: I have a handful of linux machines
> (almost all with different distributions and kernels and software -
> one hell to keep secure) and all the machines have different roots.
> These guys want to keep their root passwords (or at least the root
> privileges) so they can update their X/KDE/whatever when/if they feel
> like it but on the other hand, they would like to see someone (me)
> keep their machines secure - something they themselves do not have
> time (we all know keeping up security is a fulltime job). Obviously to
> install patches etc I, also, need root privileges.
Maybe you should try to give them access to change the config files
they need to change by giving them group membership in a group like
"staff", or something, and making the appropriate config files group
writeable and owned by staff.
This depends on the competency of the people in question, of course.
Some people you can probably trust with their own root accounts. In
that case, I'd use ssh identities to let you in as root directly,
without having to type their password, only the password protecting
your ssh private key. (of course, you'd want to use ssh agent for
this.)
Also, taking away root access will mean more work for you if they're
going to keep asking for permissions to edit more stuff. If you
basically trust them, then you should probably let them hold onto root
access. I know I personally would like to have root access on my
workstation, since the admin doesn't have time to tweak it the way I
would like.
> This poses a problem if I am not to remember all those different
> root passwords and without making all the passwords the same! How can
> that _safely_ be accomplished? There are versions of su, sudo etc) that
> do not ask passwords, there are suid binaries but which is _THE_ way
> of accomplishing this? Presently there are only shared root passwords
> between the server admins but now we are trying to get the workstation
> security boosted up as well - being behind one firewall does not seem
> to be enough in an environment where a whole class B network is behind
> that one fw...
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Reply to: