Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Trouble at the 9th layer.



Matt Shields wrote:
> For years we've used sudo to give our developers and qa access to
> production servers run cat, less, more and tail to view logs, but
> nothing else.

What I've done at my workplace - and which has gotten rid of most of the
demands by devs for root - is build 'logviewer', a completely separate server
in the production server farm.  Devs get non-root access to that box, no
access on the production boxes, by default.  Whenever someone needs access to
a log of some sort that I haven't yet thought of, I simply add a read-only
export rule on the source  machine with a matching automount rule and slurp it
into logviewer.

This way there is no possible loophole by which a dev can get write access. 
We do have to trust that our devs won't abuse read access (once in a while
there is a wayward employee who breaches confidentiality by accidentally or
deliberately sending data outside the company; so far it hasn't happened on
the IT side of the company).

-rich







BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org