topic Re: root or non root in Operating System - HP-UX

root or non root

Allanm — Wed, 23 Jan 2008 00:09:05 GMT

Currently in our env we have root doing all the installation and administration of the applications like JBOSS / apache / all middlwares etc. My idea is to move to non root accounts so that things can be managed securely and in a better way.

Please suggest whether you have faced this situation before and how to deal with it in terms of moving the existing applications to non root user. What are the things that we need to take care of in order to seamlessly migrate over .

Re: root or non root

Patrick Wallek — Wed, 23 Jan 2008 01:20:34 GMT

Many of these types of applications may require root to install them. That is fine. The application teams should coordinate with the systems administrators for installation.

However, day-to-day administration of these types of things should NOT require root. Your application teams/users should have their own user ids which they should use for their purposes.

In terms of moving existing applications to use non-root users for administration, they will probably be a difficult task. Things like this need to be looked at and planned prior to the products actually being installed.

Re: root or non root

VK2COT — Wed, 23 Jan 2008 10:50:03 GMT

Hello,

I agree with Patrick.

You will have two kinds of issues:

a) Resistance by humans to stop
relying on root access for everything.

Various application admin teams often request
root access as though they cannot exist
without it.

By nature, humans are not keen on
changes. Even when the change looks good,
people like to stick to what they already
know or have.

Besides, lot of people like to
have root access. It gives them sense of power.

Personally, I prefer not to know root passwords :) It is too much trouble to
worry about them...

b) Technical problems:

1. Does given application need to open
the Well Known Ports (those from 0 through
1023)?

2. Was given application designed to
run as root (due to bad design or whatever)?

3. How many commands require privileged
access?

And so on.

Here is a brief plan of attack:

a) Read documentation for each application
and/or user account that supports it.

That includes contacting vendors as well.

And, of course, asking questions in Forums
like ITRC.

b) Analyze active ports on the server
and verify who is using them.

c) Talk to application support teams
in a friendly manner.

d) Make one change at a time - preferably
on a test/development server (if you have
one).

Cheers,

VK2COT

Re: root or non root

Heironimus — Wed, 23 Jan 2008 21:50:01 GMT

I've found very few applications that need root privileges to run. Everywhere I've gone it's been standard practice to install as root but run/manage as non-root, with sudo (or similar) access as appropriate.

You may have to push vendors a little when you start asking questions. Many of them (even big players like IBM) say to run things as root, but if you press they'll admit that it's only necessary in specific situations.

I predict that you'll get very tired of patiently explaining to people that you want to identify why something is failing instead of just doing it as root.

Re: root or non root

Sorrel G. Jakins — Wed, 23 Jan 2008 23:58:31 GMT

The bickering over root access rapidly boiled over into a ridiculous situation, all emotion and no fact. So nobody gets it.

1. We build all our systems as a platform, and then use ignite to create production instances.

2. We make extensive use of sudo, to issue 'root'-level commands but with logging and accountability to particular users.