Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Trouble at the 9th layer.



Configuring Sudo correctly means, IMHO, unless you are on the sysadmin team,
you cannot have shell access as root.  They can still script sudo, to do
utility functions
without having full shell access, and even using editors (vi, sed, emacs,
etc) should
be viewed suspiciously to ensure they can't 'shell out' to get and
un-audited command line.
... I am draconian, but only because I have been bit so many times.
><> ... Jack


On Sun, Nov 29, 2009 at 10:03 AM, Matt Shields <matt-urrlRJtNKRMsHrnhXWJB8w at public.gmane.org> wrote:

> On Sun, Nov 29, 2009 at 12:01 AM, Rich Braun <richb-RBmg6HWzfGThzJAekONQAQ at public.gmane.org> wrote:
>
> > Dan Ritter <dsr-mzpnVDyJpH4k7aNtvndDlA at public.gmane.org> suggested this warning about dev root:
> > >   Attempting to violate this policy once will result in a
> > >   warning. A second attempt will probably be considered grounds
> > >   for termination of employment.
> > >
> > >   If you think you need expanded privileges on any machine,
> > >   please contact the sysadmin staff ...
> >
> > Heh.  I am the guy in charge of the dev servers where I work.  If I sent
> > that
> > out, the devs would instantaneously go over my head and I'd get a CTO or
> VP
> > directive that so-and-so gets root, period, on all dev boxes (and I've
> even
> > gotten that directive for two of the devs on all /production/ boxes).
> >
> > I try to bend over backwards and give the devs what they
> need--quickly--but
> > this is a battle I have not figure out how to win, at least in a small
> > company
> > (IT organization of about 25-30 with 6 to 10 developers).
> >
> > But maybe it's a battle I should try again soon because most of the
> > long-time
> > hires have disappeared--a lot of this office politics depends on
> longevity,
> > and now only one of the developers has been there longer than me.
> >
> > ISO 7-layer model: 8th layer = finance, 9th layer = politics.
> >
> > -rich
> >
> > _______________________________________________
> > Discuss mailing list
> > Discuss-mNDKBlG2WHs at public.gmane.org
> > http://lists.blu.org/mailman/listinfo/discuss
> >
>
> We've been stuck in the position of having a draft of an acceptable use
> policy that described everything including the previous suggestions.  But
> when it comes down to it the CTO or other executives didn't feel that we
> needed implement one.  When it came to dev's access, it's always been give
> them whatever they want to do their job, even if that meant that they had
> root access on production boxes and they caused outages because of what
> they
> did.  Being the 3rd Ops manager to take over, I'm not happy to just stand
> by
> and watch our dev's cause more problems than help.  First step is to
> implement sudo and let them do their job while not giving them root access.
> But as I mentioned, we have one guy who seems to think that he can go
> around
> sudo by dropping to shell.
>
> -matt
> http://www.sysadminvalley.com
> http://www.beantownhost.com
> http://www.linkedin.com/in/mattboston
> Joan Crawford<
> http://www.brainyquote.com/quotes/authors/j/joan_crawford.html>
> - "I, Joan Crawford, I believe in the dollar. Everything I earn, I
> spend."
> _______________________________________________
> Discuss mailing list
> Discuss-mNDKBlG2WHs at public.gmane.org
> http://lists.blu.org/mailman/listinfo/discuss
>






BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org