Root Access

Phil Meyer pmeyer at themeyerfarm.com
Tue Jun 16 04:50:18 UTC 2009 

Sharpe, Sam J wrote:
> 2009/6/15 Robert L Cochran <cochranb at speakeasy.net>:
>   
>> The "locked box" approach is probably not used in very large enterprises. At
>> least not where I work (> 100,000 employees, > 98,000 Tier 3 workstations.)
>>     
>
> I think there is a difference between administering a large number of
> Workstations (as in a computer used at the desk by one or two
> induviduals) and administering a large number of Servers simply
> because tighter controls are placed on the latter. I know of a few
> large places where sudo is king and the root passwords to the servers
> are randomised and kept in a safe (even if it's an electronic safe!).
>
> At a former employer, users had sudo rights on their own workstation
> to do pretty much anything (and similar PolicyKit and ConsoleHelper
> configs) but were never told their own root password.
>
>   

It happens that I have also administered over 100 SUN workstations as 
well as servers in the data center at a single location (large oil and 
gas company, research group).

We did similar things there.  No-one knew the root password and it was 
kept safe.  I had to adjust my jumpstart scripts to access a 'special' 
file on the main-frame that contained the encrypted password and install 
it during the initial system install, as well as the scripts that were 
used to push new passwords.

None of the engineers knew the root passwords, but many who over time 
had shown competence, had been granted sudo access.  Even then the 
support group, of which I was a member, were notified at least by email 
of any sudo commands executed by those users.  Just as informational 
documentation. 

It was a great place to work, and one of the environments that I miss, 
and will probably never get to see again.

Tight controls and a somewhat fascist attitude towards administration 
can lead to unexpected benefits.  At that location I could tell when a 
printer was out of paper by monitoring network traffic patterns.  It was 
amazing to 'fix' problems before the users were even aware that they had 
one.

More information about the fedora-list mailing list