What do you believe?

At my new job we're setting up a new set of servers for a special project. The person setting them up asked what I believed the best policy was for sharing root, and creating "group" accounts that many people would log into. I thought it was a good idea to lay out my general philosophies. I thought you all might be interested.

I believe in individual accounts, not "shared accounts" or "group accounts"; I believe that any exception to this rule shows a failure in the UNIX "group" permissions construct, or a failure of the IT staff to know all the powerful things the group permissions can do.

I believe in sshd servers configured to not permit passwords, only keys. I believe that if someone has an emergency need to log in without a key (from a friend's house, for example), that there will be a procedure for them to call someone who will enable passwords for a moment. I believe that if you need to get into a system with a password, they should be on the serial console, which is connected to a console server.

I believe that people that need root a lot are called "sysadmins" and should be required to log in as themselves and then become root, preferably by sudo. I believe that every time a regular user needs "root", then the IT department has failed in some way.

I believe that regular users that need root should be given access to individual commands through sudo, and if they need a root shell they should sign an "privilaged access policy" document that says that they'll not abuse their power, they'll keep private information private, and that they'll freely report mistakes to the IT department so they can be repaired quickly.

Well, I believe in the soul... the dawn...the evening... the small of a woman's back... the hangin' curveball... high fiber... good scotch... that the novels of Susan Sontag are self-indulgent overrated crap... I believe Lee Harvey Oswald acted alone. I believe there ought to be a Constitutional amendment outlawing Astroturf and the designated hitter. I believe in the sweet spot, soft core pornography, opening your presents Christmas morning rather than Christmas Eve, and I believe in long, slow, deep, soft, wet kisses that last three days.

And finally, I believe that any time someone asks me what "I believe" that I should be permitted to include the entire "I believe" quote from the 1988 film "Bull Durham".

Sincerely,
Tom Limoncelli

What do you believe in?

Posted by Tom Limoncelli

No TrackBacks

TrackBack URL: http://everythingsysadmin.com/cgi-bin/mt-tb.cgi/813

2 Comments | Leave a comment

I believe that you meant to type "any time" instead of "anyone" in that last paragraph.

But the rest of it I'm down with, completely.

Instead of using ssh with a password or a key, you should kinit and then ssh across using kerberos tickets.

Then on the machine, do what you need with an individual user account,

or use sudo

or use ksu

Ideally, you dont even know the local root accounts' password...

Leave a comment