Slashdot Mirror

← Back to Stories (view on slashdot.org)

Handing Over Root Passwords to Clients and Contractors?

Posted by Cliff on from the tricky-ethical-dilemmas dept.

waa asks: "I have a client who's system I remotely administer. This particular machine has been up performing its various duties 'problem-free' for 4 months (since last kernel patch/fix). The client has, on-site, a consultant who pretends to know things he certainly does not know; Linux systems administration for one, and they now have requested the root password. Since it is their system, I'd imagine they have every right to the root account, however I know for sure that as soon as this is handed over, things will start to mysteriously malfunction, and I will get an emergency call to get them back in service (or worse, I will be blamed; ie: back-stabbed). I'd rather not have to troubleshoot and fix a completely preventable, and possibly complex problem. What are peoples' experiences regarding this situation? How have you handled it? Is some form of 'release from responsibility' contract in order? I need some advice soon" In situations like this, communication with the client is important. If you ever run into a situation like this, talking to the client and informing them of the potential problems is always a good idea. If any problems happen afterward. Start documenting them, and pass them back to the actual client if things start to become a problem. Anyone else care to weigh in?

2 of 24 comments (clear)

  1. Tripwire + backup... by Bryan+Andersen · · Score: 5, Informative

    First backup the hole system as is and keep a copy for yourself. If that isn't possible, backup the configuration files and any data files you can fit.

    Tripwire is your friend. Run tripwire on all files (even ones known to change). Save the tripwire file on both the system and keep a backup copy. When you get a support call you can use this to check what the guys have changed. For the most part you can run tripwire without checking checksums, just length, data, perms, etc. This will give you a list of new, changed, and deleted files. Not doing the chacksums lessens some of the utility of tripwire, but it gets you a list fast as tripwire dosen't have to read the file in.

    Security tool can be used for your bennifit. They aren't just for security. When administering systems for developers who have root I always use tripwire on their systems. Often it tells me what they are changing so I can keep on top of their needs.

  2. Clients! by annielaurie · · Score: 2, Informative

    I'd certainly get busy and cobble together a "System As Built" document. Describe the server, its configuration, and its functions as completely and concisely as you can. Think of it as a "snapshot" of the system on the day you last had control of it. Try not to leave anything out. Deliver it to your client with a memo saying you can't be responsible for any changes made from this point forward. Remind him of your bill rate without making any further comments.

    Tedious? You bet! But you may find such an as-built document goes a long way towards covering your posterior if and when it's left flapping in the breeze.

    Then go ahead and hand over the access with a clear mind. Relax and consider that you'll probably be called in to restore order.

    Consultants do this quite a bit.

    Anne

    --
    DUCT TAPE: The Election Supervisors' Secret Weapon