Yesterday, Benjamin Scott gleaned this insight:
> On Wed, 21 Jun 2000, Kenneth E. Lussier wrote:
> > Jerry and Bob have both stated that it would be "an inconvenience to not
> > have root". Well, if you can say that it is an inconvenience, then that
> > means you already know that it can be done, you just don't want to spend
> > the time or the effort to do it.
>
> Wrong. If that was the case, we wouldn't have networks, we would just use
> sloppy floppy copies for everything. That is just a matter of time and
> effort, after all.
Oh come on Ben, now you're just being obtuse. The analogy is bogus
because in one case, there's a real tradeoff, and in the other there is
only loss.
> How about the personal convenience of the admin staff?
In the real world, do sysadmins make compromises for their own
convenience? Of course this happens. But if they lose their job over
such a convenience, they have no one to blame but themselves. I'm sure we
do this in our shop on occasion. But we never compromise security or
resource availability for convenience. NEVER. You should see us fight
over this stuff.
> > However, since the box they are testing on is connected to the CAT5, the
> > CAT5 is connected to switch, the switch is connected to the router, and
> > the router is connected to the firewall, then that engineer that is
> > arrogant enough to demand root needs to take responsibility for EVERYTHING
> > that that system affects.
>
> And you're basing all your security on the fact that the user doesn't have
> the root password?
>
> Since engineers are obviously completely untrustworthy, how do you prevent
> them from bring their own laptop in and hooking it up to that same ethernet?
What, you didn't think we'd have an answer? Statically assigned IP
addresses via DHCP based on MAC addresses.
What's that? Unrealistic you say? WE'RE DOING IT. RIGHT NOW.
No MAC address? No network resources. Period.
> > When they misconfigure a system and cause a data storm and bring down the
> > network for an entire company, THEY need to fix it.
>
> If someone's testbeding something like that, you damn well better have it
> behind an interior firewall, or *you* -- *the admin* -- aren't doing your job.
Sure, but if it's the machine that the engineer uses to do ALL his work
on, requiring full access to the network, THEN WHAT?
> And when did the admin staff become perfect? What happens when
> *they* screw up and break the whole network?
You never worked with us... ;-)
> > It is actually very basic: people want what they want, when they want it,
> > and they like to think that they are important enough to demand and get
> > it. Engineers, managers, Vice Presidents, etc.
>
> ... sysadmins ...
Again, you never worked with us... Seriously this time. Ask Paul how
many times I told him he couldn't do something because it had no benefit
to the user community. LOTS. And vice versa. And we both flog Kenny
endlessly... :-D
We take our job very seriously. In case you hadn't noticed... :)
--
PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
[EMAIL PROTECTED] | [EMAIL PROTECTED]
------------------------------------------------------
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
