From owner-freebsd-questions Mon Jan 7 7:47:20 2002 Delivered-To: freebsd-questions@freebsd.org Received: from post.mail.nl.demon.net (post-10.mail.nl.demon.net [194.159.73.20]) by hub.freebsd.org (Postfix) with ESMTP id 7B6FB37B41E for ; Mon, 7 Jan 2002 07:46:53 -0800 (PST) Received: from [212.238.194.207] (helo=tanya.raggedclown.net) by post.mail.nl.demon.net with esmtp (Exim 3.33 #1) id 16Nbz0-0001Dh-00 for FreeBSD-questions@freebsd.org; Mon, 07 Jan 2002 15:46:42 +0000 Received: by tanya.raggedclown.net (Postfix on SuSE Linux 7.3 (i386), from userid 500) id 71A101171; Mon, 7 Jan 2002 16:46:37 +0100 (CET) Date: Mon, 7 Jan 2002 16:46:37 +0100 From: Cliff Sarginson To: FreeBSD-questions Subject: Re: FYI Re: Can I rename root? Message-ID: <20020107154637.GB3466@raggedclown.net> References: <20020107143958.GA2968@raggedclown.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.24i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jan 07, 2002 at 03:05:24PM +0000, Jan Grant wrote: > On Mon, 7 Jan 2002, Cliff Sarginson wrote: > > > On Mon, Jan 07, 2002 at 03:07:45PM +0100, Roman Neuhauser wrote: > > > Truth is that telling someone to do or to avoid something, not > > > telling them why (giving an example), turns the advice into a dogma, > > > and I don't think that's very useful. > > > Does it ? > > Yes; that's what "cargo-cult" sysadmin is all about. > I have no idea what that expression means. And to repeat, he was told why. He just didn't believe it. The experience of systems managers, systems programmers etc (a category into which I fall) was not proof enough for him. Hey, this is a voluntary mailing list, no-one is obliged to offer "proof", but if people ask a question and don't believe the answers experienced people give them, then there is not much point in asking the question. In this case someone dug up a piece of code that proved it to the satisfaction of the person asking the question. Well, that is nice, someone did that. The fact that the proof was a piece of "C" code that the asker probably did not understand seems to be getting glossed over here. A dogma is a belief, usually irrational, or without basis in reality. So if an answer from someone with 20+ years of Systems Management experience is regarded as dogma and ignored, well so be it. The asker is a physicist, maybe he can prove to me that nothing can travel faster than the speed of light without using equations I probably will not understand. E=MC2, prove it to me. > Slightly more on-topic: the notion of "root" is (very, very slowly) > going away - see Trusted Solaris ferinstance. TrustedBSD is working on > much the same kind of thing - "fine-grained system capabilities". FS > ACLs might be a more obvious output of the project, but the notion is > that instead of a single "superuser" account, core system admin roles > may be split amongst accounts. Thus you would be able to have, say, a > security event auditor who could review audit logs, but with little or > no other privileges; and (in a simple scenario) a lower-powered "root" > who could do everything else _except_ modify their audit trail. > > This is, however, some time away from FreeBSD-STABLE (maybe in 5.0?*). > Yes, and is an interesting development. One that has been discussed, even worked on, for at least a decade as far as I am aware but never seems to have surfaced. I know someone who was working for British Telecom, of all the strange institutions*, about 10-15 years ago looking into this. * I say strange because in a security audit at BT some years ago the auditor discovered that the systems manager(s) had written all the key root passwords on a whiteboard in one of the offices. But (and I am not being mean) this has nothing to do with what this thread was discussing. But is much more interesting :) Mmm. Counts as a new thread, so I didn't break my rules :) -- Regards Cliff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message