Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Would You Distribute Root Access?

Posted by Cliff on from the elevated-privileges dept.

dhanks asks: "I'm one of 10 administrators in our group. We're equally responsible for about 300 UNIX servers. We're having problems keeping track of all the root passwords and some of the administrators have taken it upon themselves to implement different security standards. (sudo with silly !SHELLS restrictions) How do other companies and system administrators handle the distribution of root access? I've been charged with coming up with a security policy and I would like to receive some feedback. I'm currently thinking of personal root accounts that would be locked via the /etc/passwd and would only be accessible via 'sudo su - adm_userid' that way each administrator may have full root access only using his regular user password instead of having to keep track of root passwords." While this is similar to an earlier question, this question deals with insuring authorized administrators have the access they need. How would you distribute root over hundreds of Unix machines to the administrators that need it?

12 of 148 comments (clear)

  1. I would combine them. by Anonymous Coward · · Score: 5, Funny

    First, create one super administrator from the 10 (sorta like Voltron).

    Second, create one giant supercomputer cluster from the 300 machines.

    Third, give your new super administrator root access (with their choice of password) on the new supercomputer.

  2. blah by byolinux · · Score: 4, Funny

    just all use the password 'secret' - nobody would ever think a root user could so dumb.

    --
    Join the Free Software Foundation
  3. Re:Sudo and CVS by Elwood+P+Dowd · · Score: 3, Funny
    The reason I did this is so that someone couldn't do a sudo su -, and then do whatever they want as root, unlogged. There are still workarounds, as sudo is not a be-all-end-all of security. You still need standard procedures, and you have to make sure people follow them.
    sudo bash
    C'mon, man. That's not exactly a "workaround."
    --

    There are no trails. There are no trees out here.
  4. "How Would You Distribute Root Access?" by fmaxwell · · Score: 3, Funny

    That's easy: With Post-it notes on monitor bezels.

  5. Passwords by sparkie · · Score: 1, Funny

    You mean *nix has passwords now? ... And didn't microsoft patent the password?

  6. Re:dealing with this as well... by Anonymous Coward · · Score: 2, Funny

    This could possibly be the most idiotic suggestion I have ever heard on Slashdot.

  7. insure/ensure by Anonymous Coward · · Score: 1, Funny

    this question deals with insuring authorized administrators have the access they need

    Do insurance companies sell these kinds of policies?

    "Shit! I'm an admin and I don't have the access I need! CLAIM ON THE INSURANCE!"

  8. Re:How Would You Distribute Root Access? by Trepalium · · Score: 2, Funny
    fakeroot.

    [user@machine:~]$ fakeroot
    [root@machine:~]$ whoami
    root
    [root@machine:~]$ rm /etc/shadow
    rm: remove write-protected regular file `/etc/shadow'? y
    rm: cannot remove `/etc/shadow': Permission denied

    Problem solved, right?

    --
    I used up all my sick days, so I'm calling in dead.
  9. Re:In times past.... by KDan · · Score: 2, Funny

    That's far too complex! The obvious solution is to give all the boxes the same root password, kept in a central location (such as on a postit note at the entrance of the server room).

    Daniel

    --
    Carpe Diem
  10. Re:In times past.... by Anonymous Coward · · Score: 1, Funny
    Shurely that's:

    Not all those chiens are dogs

  11. Re:dealing with this as well... by lucas+teh+geek · · Score: 1, Funny

    Give _everyone_ root access.
    Up next on "when windows admins administer linux", orn will explain to how to set up passwordless telnet access, to make life easier for everyone

    --
    TIAEAE!
  12. Re:Easy by vijaya_chandra · · Score: 2, Funny

    Hey!
    Just for an educational survey
    Can you give me the ip of one of those boxes that is on the net?