Root access to NON-administrators 1

[ttutor]

I am being asked, as an IT professional (Unix OS - SUN and RS/6000), to allow multiple personnel in another department to the ability to run full root commands in order to fulfill their jobs as storage administrators (EMC). I am looking for some help in identifying the impacts and security vulnerabilities of allowing this to happen.

Any input would be appreciated.

 

[Feline]

the main impact i would be concerned about is having people with enough knowledge to be dangerous screwing your system and needing you to put it back together again.

look for a utility called sudo. it allows you to run root commands as the user and it also allows logging so you can keep an eye on what they are up to.

you can also use sudo to make a shell so they can open a root shell, do what they do, you are collecting logs on it and its all good.

 

[ttutor]

Feline - Thanks for the response. I have sudo setup and functioning but still do not want to allow other departments to run root level commands on my system. I am trying to persuade management to not let it happen. I guess I am really looking for information on why it is a BAD idea to give root level access to others.

 

[AHinMaine]

How about relying on some examples of problems caused.

We had a meathead at my office that accidentally typed rm -rf /var and hit enter...

There were other incidents, but that one obviously cost the most man hours. Stupid things like something as simple as screwing up file permissions can cause an "operator induced outage" as we call it.

If they consider their systems "mission-critical," anything less than an expert with root access is an invitation to disaster. --
Andy

http://www.nachoz.com

 

[felixfong]

We do allow root access with engineering lab machines, since, they do need that. However, such machine will not be covered under any admin troubleshooting. Disk image restore will be the solution for any "screwup".

"NOWAY" you should give root access to any user with "mission-critical" machine.

 

[crowe]

I think they (storage admins) should be able to identify which commands they need to run "as root". There should not be a whole lot of show stoppers to accomplish what they need to do. Each command can be outlined in the sudoers file.

crowe

 

[squash]

Here are a few things to consider in your quest for solving this difficult question.

And how I would go about explaining it to management.

1. Put a dollar value on system outage, So 1 hour equals $100.00 or whatever might apply to your company. You may even want to get management involved in this.
2. Have the EMS dept request exactly what it is they need root access for, details are important. So you will know what commands are need to run and why.
3. Lay out a plan to solve those dept issues that do not involve giving root access. Like using sudo, or a formal request to have certain commands run for them at a certain time, etc.
4. Show Management that the wonders of a UNIX system are many ways to solve any given problem, not just giving root access to all that request it.
5. List some reasons that root access is a risk to the company. Some examples.
A) Simple mistakes can cost hours of downtime to fix.
B) No way to easily track who did what, therefore adding to the time to fix mistakes.
C) Data Integrity, For instance can the financial dept risk a mistake that may not be found for weeks or days, or worst yet at month end.
D) Confusion over who is responsible for what, causing greater lead time in solving other problems that may seem related to storage.

These are just a few idea's I hope you can use. A well thought out plan works best when approaching management with what's in the best interest of the company.

 

[squash]

One more thought.

In a similar situation a few years back I had manegment of the Tape storage dept also wanting root access on an SCO UNIX box. After investigating I found he really just needed to run a few commands.

To solve this I wrote a simple script to run a menu his users could access then in the scipt the commands would run with the asroot command. (very similiar to sudo).

This solved his problem and made it much easier for his users, who by the way did not care if they had root, just wanted to do their jobs.

Win-win.

Good luck