Slashdot Mirror
UNIX Systems Control Politics?
pariahdecss asks: "I have just been hired as the webmaster for local college. The website for which I am responsible is hosted 'in-house' and controlled by the college. The server box does not have any other production systems on it besides my website. The website that I have inherited is driven by an amalgam of Embedded Perl and PostgreSQL. Now to the politics...the UNIX Administrator does not want to give me root access to this box. What have others done when faced with this type of systems politics? Is it even possible to function as a full scale webmaster without root access to the box you serve from?"
I don't think anyone would agree with you.
Which of Perl and Postgresql needs root? If webmasters need root access, then who else don't need?
It's entirely possible to function without root. Albeit to a limited extent. You have to ask your admin to install / upgrade software for you, but do it enough and maybe he'll get sick of it and give you root. Next?
Photos.
Please, let us know why you need root and we'll then tell you 1) how to attain it using politics or 2) that you're being a baby.
--Mike
So document exactly what you REALLY need sudo access for, and *if* there is a business case justification, then they should be able to grant this on a per command basis. There should be no reason for a webmaster to "need" the root password.
Hulk SMASH Celiac Disease
You're the one trying to do politics. Your domain as webmaster is html files, scripts, etc. You don't need to have root pass to upload files. Everyone who uses someone else's system for hosting is a webmaster w/o root access to the server. The two things are unrelated.
As your sysop to do things whenever you don't have access to do something (set up a db?) If this happens often enough he'll reconsider the policy, but most likely you will be just fine w. the privileges you have.
Ecce Europa - Web Design for Business
I'd just ask for sudo access to the resources I needed. Also, you never said why he denied access. Does the system have trust relationships with other systems he want's you out of?
For the first several years working for DSD there was no way in hell they were going to give me root access to anything, my data and home directories could be measured in the tens of gigabytes just to overcome these limitations. That was solaris, unfortunately (in my opinion) to get anywhere near the same functionality (as root access) you'll spend a huge amount of time recompiling applications, tweaking config files to do things that probably nobody ever intended, along with being on your supervisors shit list for blowing out disk space, audit trails, and... well... just because...
Not easy.
Diebold systems control politics.
Oh, you meant politics of UNIX system control? Never mind.
Make even shorter URLs - 8LN.org
Test, and Production. Build a linux box, give yourself root, do all your play work there. When its time to make real changes, in 1 shot, ask the SA to do whatever you need (upgrade PHP to version foo, edit config file bar, etc). They're more likely to do it if you don't nickel and dime them every day for little stuff. Plus, you have the added bonus of not fscking up your main, real, this-is-your-paycheck website doing test work.
I want to delete my account but Slashdot doesn't allow it.
You don't say anything about what else you inherited along with the website: Was the previous web admin a jerk? Was the server a pustulent boil on the face of the university's net?
One line blog. I hear that they're called Twitters now.
"But Wait!" you say, "What about software upgrades? New Perl modules?" --Sorry, bub, installing and upgrading software is exactly what the sysadmin is there for. These are her systems. Not yours.
It's likely your sysadmin is smarter than you, and has been doing this longer. And while I'm sure you have "teh lunix" at home and run X as root "all the time", that doesn't make you worthy of having root on the universitie's box. Quite frankly, having been through this from the sysadmin's side, No, you don't need root, and it's YOU who's playing the political game, not them. It's their box, their system, their software. The limousine company owns the cadillac, you just drive it around and make sure it has gas. Thank you. Move along!
You've not mentioned anything of your skills or previous experience. `Webmaster' could mean that you're a skilled systems administrator and/or programmer yourself ... or it could mean that you spent 15 minutes playing with Frontpage and Photoshop. Or anything in between.
It's a university, so things may be different, but in the business sector, one makes a business case for needing root access, and puts that, plus the pros and cons into a presentation and presents that to management and the systems administrator. If you have the needed skills, and can convince people that having root access would make for a better web site, the sysadmin may be happy to let you have access to your box (because it may mean less work for him.) At least in the business world, politics definately exist, but a good business case can often cut through it like a knife through butter. (It's unfortunate when skilled sysadmins and programmers have to spend their time making Powerpoint presentations, but it's often how you deal with the suits.)But if you're some `loose cannon' who doesn't know anything about *nix system administration beyond what you've read in some book, then root access is a disaster waiting to happen.
(As I said, I don't know which group you fit into.)
It sounds like you've already answered your own question, and want us to come up with the same answer. `full scale webmaster?' In any event, my answer is `yes', which is probably not the answer you want to hear.Not having root access is a blessing in disguise too. If something gets really messed up and root access is needed to fix it, you have the benefit of 1) not being blamed for it, because you couldn't have done it, and 2) not having to fix it.
One piece of advice -- what ever happens, don't try to `crack' root access. Getting caught, even if you think it helps you do your job, is likely to end in your being fired, and could even find you being arrested. (Yes, it has happened.) If you're a student, you could even be expelled. Not worth the risk.
"~ the UNIX Administrator does not want to give me root access ~. ~ Is it even possible to function as a full scale webmaster without root access to the box ~?"
.htaccess sucks
This article advocates a
( ) technical ( ) legislative ( ) market-based (x) vigilante
approach to website administration. Your idea will not work. Here is why it
won't work. (One or more of the following may apply to your particular idea,
and it may have other flaws which used to vary from organization to
organization before a poorly thought-out, ineffective approach is suggested.)
(x) Sudo will allow you to do what you need
( ) Installing extra software on a machine without the Admin's knowledge
is bad
(x) You don't know what you're doing
( ) Hosting w4r3z and hacks on company-owned equipment is bad
( ) You are not mature enough to manage a box in a production environment
( ) Your users will not put up with it
( ) SCO will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from the Admin
(x) Requires immediate total cooperation from everybody at once
(x) Your employers cannot afford to lose services or alienate students
( ) Students don't care about your lack of web admin skills
(x) Anyone could anonymously destroy your entire site due to your
inept administration skills
Specifically, your plan fails to account for
( ) University rules expressly prohibiting it
(x) Lack of centrally controlling authority for servers
( ) 5kr!pt k!dd!35 installing open relays
( ) Backup and restore
( ) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new configurations
( ) Students' reluctance to use an obviously hacked site
( ) Huge existing software investment current setup
( ) Susceptibility of poorly configured machines to attack
(x) Your willingness to install OS patches in a timely manner
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Extreme fun of web h4xx0r5
( ) Joe jobs and/or identity theft
( ) Technically illiterate school administrators
(x) Extreme stupidity on the part of people who think they need root
in order to do their job
( ) Bandwidth costs that will increase once the b0xx3n are pwned
( ) IE
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical
(x) Any scheme based on 'su' is unacceptable
( ) Lack of knowledge upon how to manage a web server should not be the
subject of politics
( )
( ) mysql sucks
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of campus networks
( ) Countermeasures must work if phased in gradually
( ) Surfing the web should be easy
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time root access is cumbersome
( ) I don't want the campus regents looking over my shoulder
( ) Web admins who have been coasting along with barely any knowledge
of what they're doing should be killed in a way is slow and painful
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
Yeah, right.
Are you talking the modern Webmaster where their skill sets are limited to the design and content of the website or the Old-School Webmaster (like me) where you were responsible for everything like the OS, the software (Apache, mySQL, Perl, PHP), access (.htaccess, etc.), and the content (HTML, images, etc.)
If you're talking a Modern webmaster, then no, they don't need it. The Server Admin just has to make sure all the directories they are using are owned by the assigned user.
If you're talking Old-School, then yeah, it's pretty much a necessity; sudo at a minimum.
You can run Apache, perl and PostgeSQL without being root. Ask your admin for two things: port 80 mapping to 8080 and calling your startup.sh after boot (I do so in rc.local). And you're there.
At a largish-university. There would be (and was) no way a webmaster would have root access to any boxen I controlled. For a number of reasons:
:)
a) You don't need it. Making sure apache is up and running and patched is my job, and I probably do it to 50 boxes at once and have nice automated scripts.
b) Every single webmaster I met (until I left a few months) ago swore they needed root access to install some apache module or other. No, you don't. You ask the sysadmin and, most times, if he can do it without a huge amount of effort (pointing him to the exact URL of the module's home page, and even better, pre-compiled packages for your OS, would tend to improve his/her mood) then I will, after carefully evaluating it, its security, its size, etc.
c) Politics sucks, and the poor sysadmin generally has to fight tooth and nail for every little bit he/she can get. Going the political route and over your sysadmin's head is a very good way whatever box you end up controlling has a number of... strange issues. Not saying I did this, but I know a LOT of sysadmins who have. A LOT. A lot of people you normally wouldn't expect. Especially in a university or state-run organization, politics and political image counts for a lot, and if you use politics to override your sysadmin, they're going to be very bitter about it. Not a good idea at all.
d) Working with the sysadmin, if you can provide a DAMN good case, and actually show you know what you're doing, what will usually happen is the sysadmin will hand over root and wash his or her hands of the matter. Box gets owned? Your problem. Box goes down? Your problem. Operating system barfs? Your problem. Too many people having root is a terminally bad idea, and most sysadmins will avoid it like the plague.
e) If all you need is the ability to restart/reload apache, there are a number of other ways to accomplish that, as has been mentioned. Personally, I would have gone the 80->8080 route, because I didn't hand out sudo either.
Every year I have to hear about this bullshit.
Listen kid, we're going to tell you this now, don't forget this lesson. You are not special. You are not the brightest little ray of knowledge to ever grace the halls of your university. In fact, the odds are very much that you are aren't even good enough to be the layer of slime the illumnai pond scum will float on. There are 10,000 other eager little faces just like you. And the odds are you aren't anywhere near the top end. If you were, the faculty would be putting you to better use than being the webmaster. Any idiot can be the webmaster, quite successfully, however, giving that idiot root would endanger the system the sysadmin is charged to maintain.
To summarize:
1) You are not special
2) You are should simply be happy you beat out those not smart enough to be webwanker
3) You should put your little ego at the door and realize the sysadmin is only doing his job, if he were stupid enough to hand you root, he should be fired.
4) Webwanking is not a technical task.
5) Webwankers *SHOULD* *NEVER* *EVER* have root. It *ALWAYS* ends badly, at my university we have a policy that says just that. And many defacements have been avoided because of it
6) Grow up! The sysadmin is getting sick of hearing this bullshit year after fucking year!
First, get politics for dummies. Also, you don't need root, as has been said ad nausium. The fact that you are asking if you need root to be a full fledged web master demonstrates that you don't know what you're in for politically or technically. Odds are your admin is reading this thread and will know its you.
.
However, I'll give you the loaded gun. Go ye therefore . .
1. Don't rock any boats for 90 days. You need this time to assess the political landscape and get to know who is really in control. You may find that the man in charge is not the man in control. If you start rocking your boat early, the man behind the curtain will be wise to you. IF that man is the sys admin you're trying to sweep the legs out from under, then clean up your resume.
2. Get to know the system you're wanting to control. You need to know why you need root to ask for it. Needing to install software is usually the best excuse since routine permissions will fix any routine need for root. This also requires some major server overall that you *need* to get the website to some grand plan you have. You do have a grand plan, right?
3. After the requisite time period (see 1), start making a lot of important installation requests staggared. Make sure you ask for it when he's swamped. That way he will seem unsupportive/inept. Don't forget to explain to man in control that you're not being supported.
4. Explain to the man in control that if sysadmin would only give you root, you could take care of this on your own. Don't forget to wave your hand in front of the man in control or the jedi mind trick will fail. Hope that man in control and sysadmin are not friends.
5. Hope that sysadmin is not politically savvy. If he is, prepare your resume. You have about a 25 percent chance of winning if you know what you're doing, and a 100 percent chance of pissing off your sysadmin.
If he's worth his salt, once you have effectively stolen root from him, the server will have mysterious problems arise that can *only* have been because he was forced to give you root. Root will be taken from you and you will have a) made a serious enemy and b) "proven" your incompetence.
The net result is that you will have weakened the organization as a whole.
Alternatively, you can work your ass off for several months to impress the hell out of all involved and show that you can be trusted with root. No politics required.
What those who want activist courts fear is rule by the people.
There seems to be a lot of 'you don't need root access' replies. I'd go so far as to say 'avoid root access if you can,' especially in a politically volatile environment. You'll get less blame when something goes wrong, and you can relax while they take care of the system patching, managing its network connectivity, disk space, etc.
Working on a non-root server feels weird at first if you've run your own box for a long time, but other than the inability to listen on ports 1024 and a few minor resource restrictions, you should be better off. Coexisting on someone else's server can even make you very conscientious and more likely to keep a tidy server.
Also, if you have to ask the administrator to upload files every time you change them, and you find yourself making many changes, ask yourself if you are doing too many updates because you don't have a proper test/dev/stage environment (if not, shame on you!). If not, maybe a compromise could be made to script a bulk site transfer from stage to production that you could control.
_______
2B1ASK1
No developer should have root on PRODUCTION boxes.
The process should be:
development happens on development box (workstation, server whatever). Developers may have root on this- if they do, they manage it, OS hardware and all. Developers will use sudo if anyone else is responsible for the server hardware and OS. This should never be exposed to untrusted networks.
QA stage: if you are poor or small, do this against the development box. If not this should be a seperate QA box. This should be managed by QA team. If the sysadmin is the same, the sysadmin should hold root, qa team may sudo, developers should not be accessing this box directly (except in emergency, then they will be sheperded by QA). This should also not be exposed to untrusted networks unless you have and excellent (and obeyed) security policy and review.
Production: only the sysadmin has root, noone else should have access. The sysadmin publishes to production- using the release that QA approves. Highest security policy applies here.
If your QA and dev team are the same, collapse development and QA- but trust me keep production seperate.
-A