Re: Root Access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sharpe, Sam J wrote:

2009/6/15 Robert L Cochran <cochranb@xxxxxxxxxxxxx>:

The "locked box" approach is probably not used in very large enterprises. At
least not where I work (> 100,000 employees, > 98,000 Tier 3 workstations.)


I think there is a difference between administering a large number of
Workstations (as in a computer used at the desk by one or two
induviduals) and administering a large number of Servers simply
because tighter controls are placed on the latter. I know of a few
large places where sudo is king and the root passwords to the servers
are randomised and kept in a safe (even if it's an electronic safe!).

At a former employer, users had sudo rights on their own workstation
to do pretty much anything (and similar PolicyKit and ConsoleHelper
configs) but were never told their own root password.
It happens that I have also administered over 100 SUN workstations as well as servers in the data center at a single location (large oil and gas company, research group).
We did similar things there. No-one knew the root password and it was kept safe. I had to adjust my jumpstart scripts to access a 'special' file on the main-frame that contained the encrypted password and install it during the initial system install, as well as the scripts that were used to push new passwords.
None of the engineers knew the root passwords, but many who over time had shown competence, had been granted sudo access. Even then the support group, of which I was a member, were notified at least by email of any sudo commands executed by those users. Just as informational documentation. It was a great place to work, and one of the environments that I miss, and will probably never get to see again.
Tight controls and a somewhat fascist attitude towards administration can lead to unexpected benefits. At that location I could tell when a printer was out of paper by monitoring network traffic patterns. It was amazing to 'fix' problems before the users were even aware that they had one. 

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux