From owner-freebsd-questions@FreeBSD.ORG Thu Dec 29 09:58:50 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89D5F106564A for ; Thu, 29 Dec 2011 09:58:50 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) by mx1.freebsd.org (Postfix) with ESMTP id 492438FC08 for ; Thu, 29 Dec 2011 09:58:50 +0000 (UTC) Received: from r56.edvax.de (port-92-195-18-127.dynamic.qsc.de [92.195.18.127]) by mx01.qsc.de (Postfix) with ESMTP id 93ABC3C8A4; Thu, 29 Dec 2011 10:58:48 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id pBT9wm9f001885; Thu, 29 Dec 2011 10:58:48 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Thu, 29 Dec 2011 10:58:47 +0100 From: Polytropon To: Irk Ed Message-Id: <20111229105847.e15848ba.freebsd@edvax.de> In-Reply-To: References: Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: OT: Root access policy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 09:58:50 -0000 On Thu, 29 Dec 2011 04:01:42 -0500, Irk Ed wrote: > For the first time, a customer is asking me for root access to said > customer's servers. Customer + root@server == !go; :-) > Obviously, I must comply. At the same time, I cannot continue be > accountable for those servers. Fully correct. Check the contract you made with the customer regarding responsibility and conclusions. > Is this that simple and clear cut? I'd think so. Maybe changing the contract is required. > Assuming that I'll be asked to continue administering said servers, I guess > I should at least enable accounting... You could have better success using sudo. Make sure the customer is allowed to "sudo ". The sudo program will log _all_ things the customer does, so you can be sure you can review actions. Furthermore you don't need to give him the _real_ root password. He won't be able to "su root" or to login as root, _real_ root. But he can use the "sudo" prefix to issue commands "with root privileges". > I'd appreciate comments/experience/advice from the wise... Just a thought: "Parallel administration" (you _and_ the customer), both capable of using the power of the root password, can lead to trouble. Avoid it whenever possible, use "sudo" to satisfy the demands of the customer. And make sure that - as he now posesses immense power - you regulate the responsibilities by CONTRACT: _you_ are not responsible if he does "sudo rm -rf /" or something similar. I'd give the customer only that much access as he actually needs. "Role based models" such as they can be done without root passwords (tools: sudo, super) can help here. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...