nanog mailing list archives
Re: Security Practices question
From: Scott Francis <darkuncle () darkuncle net>
Date: Thu, 3 Oct 2002 09:31:57 -0700
On Wed, Oct 02, 2002 at 05:48:16PM -0700, matt () snark net said:
On Wed, 2 Oct 2002, Scott Francis wrote: Can you back up that statement in /any/ way? What exactly are your reasons why sudo is a worse solution (or even a bad idea)? In an environment where every sysadmin is interchangable, and any one of them can be woken up at 3am to fix the random problem of the day, you tell me how to manage 'sudoers' on 4000 machines.
You don't _have_ logins directly to 4000 machines. You have a central admin host (or five) with user-level accounts. Those user-level accounts can 'sudo ssh <target>' to accomplish things as root on the remote boxes. Given the nature of the UNIX permissions structure, any solution is going to be lacking when scaled up large enough - but the problems involved in properly administering sudo are considerly smaller than those introduced by having mulitple uid 0 accounts (especially multiple uid 0 accounts on multiple machines). What do you do when one (or ten) of those 'interchangeable syadmins' leaves the company? _Then_ you have a real nightmare - changing root and removing uid 0 accounts on 4000 boxes. I'd rather manage /etc/sudoers, thanks very much.
In an situation where the team needs root; all per-admin UID 0 accounts add is accountability and personalized shells/environments.
All of which can be handled with sudo, without giving away the keys to the castle.
Sorry to ruffle your dogma.
Not dogma, just best practice. -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
Attachment:
_bin
Description:
Current thread:
- Re: Security Practices question, (continued)
- Message not available
- Re: Security Practices question Scott Francis (Oct 02)
- Re: Security Practices question just me (Oct 02)
- Re: Security Practices question E.B. Dreger (Oct 02)
- Re: Security Practices question Michael Lamoureux (Oct 02)
- Re: Security Practices question just me (Oct 03)
- Message not available
- Re: Security Practices question Barb Dijker (Oct 03)
- Re: Security Practices question Jason Slagle (Oct 02)
- Re: Security Practices question Joel Baker (Oct 02)
- Re: Security Practices question Scott Walker (Oct 02)
- Re: Security Practices question Valdis . Kletnieks (Oct 03)
- Re: Security Practices question Scott Francis (Oct 03)
- Re: Security Practices question just me (Oct 03)
- Re: Security Practices question Scott Francis (Oct 03)
- Re: Security Practices question alex (Oct 03)
- Re: Security Practices question William Waites (Oct 03)
- Message not available
- Re: Security Practices question Barb Dijker (Oct 02)
- Message not available
- Re: Security Practices question Barb Dijker (Oct 03)