On Wed, Jun 21, 2000 at 09:41:14PM -0400, Kenneth E. Lussier <[EMAIL PROTECTED]>
wrote:
> First off, no one said that engineers are untrustworthy. What was said
> was that no one *NEEDS* the root password other than those who are
> responsable for administering the system. As for how to prevent a
> laptop? DHCP with MAC address recognition. If they go so far as to spoof
> the MAC address, then it would seem obvious that malicious intent is
> present, and they should not be employeed.
Two points:
(1) If an engineer is responsible for administering
his own system, he should likely have the root password then
(although, as mentioned, you may want to provide separation from the
production environment).
(2) You state that "if they go so far", they
should not be employeed. How is this different from giving them root
on a machine and doing your best to make sure that NIS/NFS/etc. setups
won't let them get root on a "more valuable" machine. You're
basically saying that you have to give up at some point and say
"Well, if they're that dedicated, there's nothing we can reasonable
do". If that's the case, why not let a test machine on which I have
root access be on the same network as a production machine on which
sys admins prefer that I don't get root. After all, if there is a bug
in NIS that allows this, we should fix it right? Also, since I'm
writing the software that goes onto these machines (in my specific
case), I could "go so far" as to specifically overlook a bug that
would allow me root access in the future. I guess I would just draw
the line at a different point.
--
Bob Bell Compaq Computer Corporation
Software Engineer 110 Spit Brook Rd - ZKO3-3/U14
TruCluster Group Nashua, NH 03062-2698
[EMAIL PROTECTED] 603-884-0595
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
