Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Root access to NON-administrators 1

Status
Not open for further replies.
ttutor

ttutor

IS-IT--Management
Joined
Dec 15, 2002
Messages
5
Location
US
I am being asked, as an IT professional (Unix OS - SUN and RS/6000), to allow multiple personnel in another department to the ability to run full root commands in order to fulfill their jobs as storage administrators (EMC). I am looking for some help in identifying the impacts and security vulnerabilities of allowing this to happen.

Any input would be appreciated.
 
Sort by date Sort by votes
the main impact i would be concerned about is having people with enough knowledge to be dangerous screwing your system and needing you to put it back together again.

look for a utility called sudo. it allows you to run root commands as the user and it also allows logging so you can keep an eye on what they are up to.

you can also use sudo to make a shell so they can open a root shell, do what they do, you are collecting logs on it and its all good.
 
Upvote 0 Downvote
Feline - Thanks for the response. I have sudo setup and functioning but still do not want to allow other departments to run root level commands on my system. I am trying to persuade management to not let it happen. I guess I am really looking for information on why it is a BAD idea to give root level access to others.
 
Upvote 0 Downvote
How about relying on some examples of problems caused.

We had a meathead at my office that accidentally typed rm -rf /var and hit enter...

There were other incidents, but that one obviously cost the most man hours. Stupid things like something as simple as screwing up file permissions can cause an "operator induced outage" as we call it.

If they consider their systems "mission-critical," anything less than an expert with root access is an invitation to disaster. --
Andy
 
Upvote 0 Downvote
We do allow root access with engineering lab machines, since, they do need that. However, such machine will not be covered under any admin troubleshooting. Disk image restore will be the solution for any "screwup".

"NOWAY" you should give root access to any user with "mission-critical" machine.
 
Upvote 0 Downvote
I think they (storage admins) should be able to identify which commands they need to run "as root". There should not be a whole lot of show stoppers to accomplish what they need to do. Each command can be outlined in the sudoers file.

crowe
 
Upvote 0 Downvote
Here are a few things to consider in your quest for solving this difficult question.

And how I would go about explaining it to management.

1. Put a dollar value on system outage, So 1 hour equals $100.00 or whatever might apply to your company. You may even want to get management involved in this.
2. Have the EMS dept request exactly what it is they need root access for, details are important. So you will know what commands are need to run and why.
3. Lay out a plan to solve those dept issues that do not involve giving root access. Like using sudo, or a formal request to have certain commands run for them at a certain time, etc.
4. Show Management that the wonders of a UNIX system are many ways to solve any given problem, not just giving root access to all that request it.
5. List some reasons that root access is a risk to the company. Some examples.
A) Simple mistakes can cost hours of downtime to fix.
B) No way to easily track who did what, therefore adding to the time to fix mistakes.
C) Data Integrity, For instance can the financial dept risk a mistake that may not be found for weeks or days, or worst yet at month end.
D) Confusion over who is responsible for what, causing greater lead time in solving other problems that may seem related to storage.

These are just a few idea's I hope you can use. A well thought out plan works best when approaching management with what's in the best interest of the company.
 
Upvote 0 Downvote
One more thought.

In a similar situation a few years back I had manegment of the Tape storage dept also wanting root access on an SCO UNIX box. After investigating I found he really just needed to run a few commands.

To solve this I wrote a simple script to run a menu his users could access then in the scipt the commands would run with the asroot command. (very similiar to sudo).

This solved his problem and made it much easier for his users, who by the way did not care if they had root, just wanted to do their jobs.

Win-win.

Good luck
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

arciua
  • Locked
  • Question Question
SUN Solaris 7: How to pin Workspace Menu?
Replies
0
Views
903
arciua
arciua
egyassun
  • Locked
  • Question Question
SunOS confusing root directory and user home directory
Replies
4
Views
1K
egyassun
egyassun
austinramsay
  • Locked
  • Question Question
Solaris 10 install hanging at 3%.. Where to find log file, or ideas?
Replies
1
Views
927
AvayaTier3
AvayaTier3
tekmhe
  • Locked
  • Question Question
Using a PC, how to delete files from a Sunblade 150 IDE drive?
Replies
3
Views
777
SamBones
SamBones
Ramakrishna Jujare
  • Locked
  • Question Question
Porting applications from AIX to Solaris platform
Replies
0
Views
707
Ramakrishna Jujare
Ramakrishna Jujare

Part and Inventory Search

Sponsor

Back
Top