[nSLUG] Dealing with a superior who believes they need root

gnwiii at gmail.com gnwiii at gmail.com
Sat Nov 4 11:32:28 AST 2006


On 11/1/06, D G Teed <donald.teed at gmail.com> wrote:
> This is not specific to Linux, but as it touches on best practise for
> *nix, I thought it might be an interesting discussion for the group.
> [... all too typical example where a little knowledge is dangerous ]

This is a situation (more than one person doing tasks of "root") where
requiring admin changes be done using sudo (so all commands are
logged) would have been useful.  Even if the person making changes
knows what they are doing, logs are useful so others can see how
certains tasks were done in the past and so everyone will be able to
determine the current state of the systems.  In systems exposed to the
internet, such logs are particularly important to distinguish between
changes in functioning due to hacking and changes made for legitimate
reasons.

Some sites have a rule that you can't be root unless a second person
is with you -- checking each command for typos and entering them in a
separate log.  This can be with a custom version of su that logs the
names of the two people before the real su is run.  In addition to
reducing mistakes, this practice is often seen as part of the training
process and as an antidote to the problems you get when all the tricky
stuff is left to one person who then gets killed in a motorscycle
accident (that actually happened at SGI and caused much grief).

> The challenge is: how to demonstrate to the boss's boss
> that the boss is breaking good *nix sysadmin practises
> and should leave the sysadmin tasks to those with
> experience and knowledge of good practise.
>
> To put it another way: where can one find an authority source
> a non-IT person can understand, which discusses best practices
> for *nix sysadmin and security - possibly in condensed reading
> format rather than full book.

A lot of sysadmin is dealing with human factors.  There are many
different types of organizations that need very different styles of
sysadmin.  Things to keep in mind is that good sysadmin is really
about creating an environment where people can go about their jobs
without having to think about admins and rules, etc., but are
encouraged to seek out prof. help when they run into something beyond
their competence.

I don't know of any books, but there have been articles in the Usenix
";login:" journal that describe particular approaches that work (or
not) in certain environments.  I've used these as "here is how some
other site dealt with this particular issue" examples.

-- 
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia

!DSPAM:454cc08756857858967025!




More information about the nSLUG mailing list