On Thu, 2003-10-30 at 22:15, Post, Mark K wrote: > A lot of the objections are being made because the assumption that you need > the root password to shut down is incorrect. Bootshell, the Signal Shutdown > facility, etc., obviate the need for that.
But when I can logon to the Linux virtual machine, I can break much more. #CP STORE is like the "Mother of all buffer overruns" When you know where to poke, you can make it do what you like (unless you make "less than G" virtual machines that cannot tamper with their virtual equipment). Compare being able to logon with physical access to the discrete machine (plus facilities you can only dream of on Intel machines). I know some shops where the machines are in locked racks and access is managed and recorded. If you want something like that you should run with RACF/VM and protect the logon to the virtual machines. The other thing that is important to me is separating authentication and access control. This is what you do with LOGONBY access. The same thing can be achieved with public/private keys in SSH. You authenticate yourself with your private key, and somewhere else we list what public keys are valid to access root. So our servers don't even have a root password (someone with LOGONBY access could set one in case sshd would be completely broken). In fact, we went beyond this. There is no access list on root anymore, but we allow authorized staff to use 'sudo' and also have a logging of any privileged commands that were issued. Rob
