Date: Wed, 26 Feb 1997 10:49:19 +1030 (CST) From: Michael Smith <msmith@atrad.adelaide.edu.au> To: burton@bsampley.vip.best.com (Burton Sampley) Cc: guido@gvr.win.tue.nl, chuckr@glue.umd.edu, danny@panda.hilink.com.au, ache@nagual.ru, guido@freefall.freebsd.org, CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-usrbin@freefall.freebsd.org Subject: Re: cvs commit: src/usr.bin/su su.1 su.c Message-ID: <199702260019.KAA19615@genesis.atrad.adelaide.edu.au> In-Reply-To: <Pine.BSF.3.91.970225152537.202A-100000@bsampley.vip.best.com> from Burton Sampley at "Feb 25, 97 03:33:33 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Burton Sampley stands accused of saying: > > I have to take a minute to through in my 2 cents here. After working in > the EDP Audit Department for a major bank in the US, the thought of a co. > not knowing who has access to root privs is a little frightening. What's > the co.'s reasoning for this kind of setup? I would hope it's *NOT* a > mission critical, production box. It's the day for sharing ideas 8) I've put muddy footprints on a goodly number of *nix shop floors around here, and they fall into a number of different groups with regard to root access. You have 'secure' shops, that usually have an experienced *nix admin and run a tight show. There are procedures for things and stuff is controlled and (if the admin is any good) things generally go smoothly. There are 'fossil' shops, where the *nix machine(s) were set up by an employee that has subsequently left, or were bought and never looked after. Everyone logs in as root. I bill these people double 8) Then you have sites where the *nix machines are used by people that are generally technically competent, but don't have the time or the motivation to go overboard with administration. We run one here, and I do quite a bit of on-the-side support for a number of other sites with similar arrangements. In these situations, it may be handy to reduce the protection on the root account to just its password, so I'd go along with the above suggestion, as long as it's clearly documented in the relevant manual pages. (su and group at least) Many of these _are_ 'mission-critical' production systems, but they're in situations where the employees are already in a position of trust, and generally don't have the sort of management and admins that you find in the financial sector. (Cue Dilbert xref) -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702260019.KAA19615>