On 8/20/06, Sharon Nagao <[EMAIL PROTECTED]> wrote: ...
I was informed last week by my manager that the DBAs is to have full root access to all Dev and Test servers in our environment. Naturally, I objected, but to no avail. I was unprepared to discuss the matter and hence every objection given was met with criticism and the DBAs responded by
...
I expect you're a professional and know what your doing as well. Insist you have admin right to the database, just in case you need to debug a performance issue. In all seriousness, I work in a shop that has dozens of Linux systems running Oracle. None of the DBAs have or need root. (See below)
In addition, I am to log everything they do. I am thinking of using sudosh.
... Explain to your management that you do not have the time or resources to play big brother. If they truly have the skills to be trusted with root, why do you have to audit all that they do? Does your management audit every command you issue as root?
I would appreciate it if people would share their experiences with me. In particular, I'd like to know what I should look out for, what worked, etc.
... Our admins don't have root access to ANY of the servers, test or otherwise. Frankly, they don't need it. As I mentioned above we hove dozens, possibly a few hundred Oracle systems. (You didn't mention what kind of database.) We do the following. 1) We have a standard build that takes into account Oracles requirements. These are well documented by Oracle and easy to preconfigure. For example, there are changes to Kernel parameters, modifications to setup raw devices, changes to some startup scripts, creation of default accounts etc. Again, this is all well documented and simple enough to preconfigure. In general, these are done ONCE when the system is first built. After that, there is little to no need to make additional changes at this level. If the DBAs insist they need to do this often, you could simply script it and let them fire it off via sudo. 2) There ARE a couple of scripts that need to be run as root when first setting up a database. For these, the DBAs simply ask one of the Sysadmins to run it for them. As these are only run at install or reinstall it doesn't happen often. It also doesn't take much time. I would rather handle a five minute interrupt every now and then than deal with the inevitiable cleanup of handing out root to those who don't need it. If they make the argument they need root for these scripts you can simply setup sudo to run them. (There are fewer than 5). Sure they can break out of sudo if you're not picky about how you set it up. However that would be clearly crossing a boundary on their part and would, I hope, result in some action by your management. It really is as simple as the above two items. Root just isn't required by the DBAs. - Paul Beltrani _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
