[52498] in North American Network Operators' Group
Re: Security Practices question
daemon@ATHENA.MIT.EDU (Scott Francis)
Thu Oct 3 12:34:59 2002
Date: Thu, 3 Oct 2002 09:31:57 -0700
From: Scott Francis <darkuncle@darkuncle.net>
To: just me <matt@snark.net>
Cc: nanog@merit.edu
Mail-Followup-To: Scott Francis <darkuncle@darkuncle.net>,
just me <matt@snark.net>, nanog@merit.edu
In-Reply-To: <Pine.GSO.4.33L0.0210021745300.23094-100000@pants.snark.net>
Errors-To: owner-nanog-outgoing@merit.edu
--a1QUDc0q7S3U7/Jg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Oct 02, 2002 at 05:48:16PM -0700, matt@snark.net said:
> On Wed, 2 Oct 2002, Scott Francis wrote:
>=20
> Can you back up that statement in /any/ way? What exactly are your reas=
ons
> why sudo is a worse solution (or even a bad idea)?
>=20
> In an environment where every sysadmin is interchangable, and any one
> of them can be woken up at 3am to fix the random problem of the day,
> you tell me how to manage 'sudoers' on 4000 machines.
You don't _have_ logins directly to 4000 machines. You have a central admin
host (or five) with user-level accounts. Those user-level accounts can 'sudo
ssh <target>' to accomplish things as root on the remote boxes. Given the
nature of the UNIX permissions structure, any solution is going to be lacki=
ng
when scaled up large enough - but the problems involved in properly
administering sudo are considerly smaller than those introduced by having
mulitple uid 0 accounts (especially multiple uid 0 accounts on multiple
machines).
What do you do when one (or ten) of those 'interchangeable syadmins' leaves
the company? _Then_ you have a real nightmare - changing root and removing
uid 0 accounts on 4000 boxes. I'd rather manage /etc/sudoers, thanks very
much.
> In an situation where the team needs root; all per-admin UID 0
> accounts add is accountability and personalized shells/environments.
All of which can be handled with sudo, without giving away the keys to the
castle.
> Sorry to ruffle your dogma.
Not dogma, just best practice.=20
--=20
-=3D Scott Francis || darkuncle (at) darkuncle (dot) net =3D-
GPG key CB33CCA7 has been revoked; I am now 5537F527
illum oportet crescere me autem minui
--a1QUDc0q7S3U7/Jg
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9nHD9WaB7jFU39ScRAppnAJ9nHxDcXfEkkwoOcX2jV+YsVSOR8wCdEWiw
Gnm4TItpTJsHibfX/DVDf0Y=
=fCJm
-----END PGP SIGNATURE-----
--a1QUDc0q7S3U7/Jg--
