> After freelancing for three years and using iServer for the page 14
> months, I'm trying to explain to a manager why we Web Developers need
> "near" superuser privileges. Because I've had so much freedom over the
> years, I admit, my opinion may be biased. It can be a bit frustrating to
> have to find an SA who must log in as root to change simple things like
> directory and file permissions, or even configure servers so we can
> complete our tasks.
>
> Can anyone share what duties you could (or even prefer to) perform
> yourself as a full-time Web Developer and employee in similar
> situations? I would like to use the job duties of fellow Web developers
> when we plead our case.
if you want to do anything more than upload new pages to the webserver,
you have to be able to drop to root occasionally. the basic security
considerations which keep any random user from trashing the system will
keep a serious site administrator at bay, too.
the number of tasks necessary to site administration which need root
access is endless.. probably the best example is trying to adjust the
httpd.conf file. i always set the ownership of that file to root, with
read-only permission for all users (chmod 0444). that keeps non-root
users from messing with it, and also keeps me from saving accidental
changes without noticing.. a perennial source of hidden glitches that
blow up on reboot.
if i'm really working a system, i'll kill and restart the httpd a dozen
times in ten minutes. once i've finished, i reboot the entire server,
just to clear out any latent gotchas that may have accumulated while i
was working. you have to have root to do any of that. if i had to
coordinate a normal system overhaul with an external sysad, we'd waste a
day and end up hating each others' guts before i accomplished what i can
normally do in fifteen minutes.
there are two options i can suggest offhand.. first, some unix systems
offer a command called 'sudo', which executes a single command (from a
root-defined list of options) as root. the users on the 'sudo' list
don't have the root password, and can of course make all sorts of
trouble if they misbehave, but it's a decent half-step between the
standard all-or-nothing proposition.
the other option, which will take more selling, but is better for
everyone in the long run, is to have them set up a small linux box for
you behind the production servers, and give you complete control of
that.
the systems staff can choke off access from any computer outside you LAN
(or within it, for that matter) reliably and easily with the standard
tcp wrapper packages:
/etc/hosts.allow: ftp,telnet : mybox.foo.com
http : mybox.foo.com,www.foo.com
/etc/hosts.deny: ALL : ALL
making the machine inaccessible to anyone but your own workstation, if
they want to cut things that fine. web requests from the outside world
can be proxied through the production server with a simple and easily
maintained (a selling point for any sysad) Apache server, which acts as
an application-level firewall between the internet and the box you
control.
you get control over a machine nobody else can touch, and that the
systems staff won't mess around with beyond the usual low-level
networking and backups. the systems staff lose a major source of
busy-work by moving everything you control to a secure machine which can
be blown away and rebuilt from backups if necessary. they can also
kick you off the production server entirely, because the changes you'll
make to that will be small enough that they can be handled with
work-orders.
it really is a reasonable option for an organization where the online
team are trying to support a serious online presence, but aren't
full-fledged members of the IT dep't. it's something i plan to do
here, assuming i last long enough to see the users who want privilege
develop the skills necessary to maintain such a machine.
mike stone <[EMAIL PROTECTED]> 'net geek..
been there, done that, have network, will travel.
____________________________________________________________________
--------------------------------------------------------------------
Join The Web Consultants Association : Register on our web site Now
Web Consultants Web Site : http://just4u.com/webconsultants
If you lose the instructions All subscription/unsubscribing can be done
directly from our website for all our lists.
---------------------------------------------------------------------
