Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 29 Dec 2011 10:58:47 +0100
From:      Polytropon <freebsd@edvax.de>
To:        Irk Ed <irked7189@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: OT: Root access policy
Message-ID:  <20111229105847.e15848ba.freebsd@edvax.de>
In-Reply-To: <CA%2BNe_iJfFK43CE%2BL2LHcqNSmv7AmRDYyAu4pXGFpd3QB%2By3p2w@mail.gmail.com>
References:  <CA%2BNe_iJfFK43CE%2BL2LHcqNSmv7AmRDYyAu4pXGFpd3QB%2By3p2w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 29 Dec 2011 04:01:42 -0500, Irk Ed wrote:
> For the first time, a customer is asking me for root access to said
> customer's servers.

Customer + root@server == !go; :-)



> Obviously, I must comply. At the same time, I cannot continue be
> accountable for those servers.

Fully correct. Check the contract you made with the
customer regarding responsibility and conclusions.



> Is this that simple and clear cut?

I'd think so. Maybe changing the contract is
required.



> Assuming that I'll be asked to continue administering said servers, I guess
> I should at least enable accounting...

You could have better success using sudo. Make sure
the customer is allowed to "sudo <command>". The
sudo program will log _all_ things the customer
does, so you can be sure you can review actions.
Furthermore you don't need to give him the _real_
root password. He won't be able to "su root" or
to login as root, _real_ root. But he can use
the "sudo" prefix to issue commands "with root
privileges".



> I'd appreciate comments/experience/advice from the wise...

Just a thought: "Parallel administration" (you _and_
the customer), both capable of using the power of
the root password, can lead to trouble. Avoid it
whenever possible, use "sudo" to satisfy the
demands of the customer. And make sure that - as
he now posesses immense power - you regulate the
responsibilities by CONTRACT: _you_ are not
responsible if he does "sudo rm -rf /" or
something similar.

I'd give the customer only that much access as
he actually needs. "Role based models" such as
they can be done without root passwords
(tools: sudo, super) can help here.


-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111229105847.e15848ba.freebsd>