On Tue, 20 Jun 2000, Kevin D. Clark wrote:
>
> Derek Martin writes:
>
> > Engineers almost never really need the root
> > password to do their jobs.
>
> On the workstation that I do most of my development on, I use my root
> password nearly every day. So do most of the engineers I work with.
> I doubt a decent sysadmin could wrap all of the functionality I
> require with sudo.
I have no idea what you do, but in the worst case you can let them run
everything with sudo. My experience as a sysadmin is that there are
rarely cases where this is necessary. Often changing group ownership and
permissions on various files is sufficient.
Allowing full access with sudo may seem pointless, but it at least allows
the sysadmin team (who, don't forget, are generally ultimately responsible
for managing and maintaining those workstations) has some idea what you
did when you (in the collective sense, not the specific) screw up your
machine.
In the case where this is done, the workstations should be configured to
log to a remote machine that the users don't have access to. In the event
that they change the config of their machine to not log to the remote
server, their logs should be conspicuously absent (and the employee should
be fired for intentionally circumventing security policy).
> I know of organizations that don't let engineers and scientists have
> their root passwords. My observation is that this causes a lot of
> resentment and loss of productivity.
This is often the case when your admin team has no clue, but giving out
the root password rarely solves that problem. A more mindful sysadmin
team should be able to solve the vast majority of problems without
resorting to giving out the password.
In cases where root is required extensively because of what the engineer
is doing, they should have a seperate machine, which has limited (or
better yet no) access to network resources.
> Yes, I understand the security implications here, but I'm telling you
> that in my experience not giving an engineer the root password causes
> more problems then it solves.
I'll politely disagree. I think most of the problems stem from the
engineers and the admins harboring an adversarial relationship, and each
not spending time understanding the needs of the other. If this is done,
there is almost certainly some compromise that can be reached which is
acceptable to both parties.
--
Derek Martin
System Administrator
Mission Critical Linux
[EMAIL PROTECTED]
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
