Benjamin Scott wrote:
>
> On Wed, 21 Jun 2000, Kenneth E. Lussier wrote:
>> Jerry and Bob have both stated that it would be "an
>> inconvenience to not have root". Well, if you can say
>> that it is an inconvenience, then that means you already
>> know that it can be done, you just don't want to spend
>> the time or the effort to do it.
>
> Wrong. If that was the case, we wouldn't have
> networks, we would just use sloppy floppy copies for
> everything. That is just a matter of time and effort,
> after all.
Well, since in your first statement you want to draw absolutes and go to
extreams, and in you next statement you contradict it, I'll let you
argue against yourself:
> *ALL* of security revolves around risk/benefit
> analysis. You measure the risk something carries against
> the benefit it provides.
Yes, in most companies it is called Risk Management. I know because I
did it. The benefits of giving out root access on production systems
does not outweigh the risks. Whereas the benefits of a network vs
sneakernet does outweigh the risk.
Personally, I'm not a big fan of passwords, but software-based digital
certs aren't good enough yet, and smart cards are expensive and take a
while to impliment.
>> When personal convenience overrides the security of the
>>company ...
> How about the personal convenience of the admin staff?
How about it? I just love how convenient my life is. It's always a
pleasure to pour through 40 and 50 meg log files looking for a problem.
Not to mention how easy it is to track down a machine that isn't in DNS
to find out why they were flooding the network with broadcast traffic.
Oh, and how about when users delete a bunch of files when they didn't
want to and they need it restored immediatly. That one is always a
breeze. And I really like it when they can't remember the file
names..... My life is so convenient.
>> However, since the box they are testing on is connected
>> to the CAT5, the CAT5 is connected to switch, the switch
>> is connected to the router, and the router is connected
>> to the firewall, then that engineer that is arrogant
>> enough to demand root needs to take responsibility for
>> EVERYTHING that that system affects.
> And you're basing all your security on the fact that
> the user doesn't have the root password?
Why would you even ask that? Does no one deserve credit for intelligence
but you? But, based on that statement, please tell me what security
precautions can't be overridden by a root user.
> Since engineers are obviously completely untrustworthy,
> how do you prevent them from bring their own laptop in
> and hooking it up to that same ethernet?
First off, no one said that engineers are untrustworthy. What was said
was that no one *NEEDS* the root password other than those who are
responsable for administering the system. As for how to prevent a
laptop? DHCP with MAC address recognition. If they go so far as to spoof
the MAC address, then it would seem obvious that malicious intent is
present, and they should not be employeed.
>> When they misconfigure a system and cause a data storm
>> and bring down the network for an entire company, THEY
>> need to fix it.
>
> If someone's testbeding something like that, you damn
> well better have it behind an interior firewall, or *you*
> -- *the admin* -- aren't doing your job.
Well, nice to see you validating what I said. An "interior firewall"...
hmmmm... Some might refer to that as a coccoon, or, just maybe, even a
LAB!?!?!
>> Basically, it's nice to say that the engineer will be
>> responsible for fixing the box that they break, but how
>> about everything else that they break because of it.
> And when did the admin staff become perfect? What
> happens when *they* screw up and break the whole network?
Wow.. snappy retort... Ever think that maybe we *KNOW* we aren't perfect
and that is why we 1) never log in as root 2) use things like sudo so we
can have logs of who did what 3) test things in a non-production
environment (a.k.a. LAB) and 4) communicate with one another about
making changes?
>> It is actually very basic: people want what they want,
>> when they want it, and they like to think that they are
>> important enough to demand and get it. Engineers,
>> managers, Vice Presidents, etc.
>
> ... sysadmins ...
We don't need to demand. Our lives are easy and convenient, remember?
Kenny
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
