topic Re: who should have root access in Operating System - HP-UX

who should have root access

Marc Ahrendt — Tue, 01 Nov 2005 14:44:56 GMT

i have a user that wants to be root. its to the point where we are having a meeting as a group to review our root access procedure. below is what we do for root access ...does it make sense?

1) only two people know the password ...myself and a guy i have trained at night (this is a 24x7 fab)

2) if we are not physically present then call us to do the work seemingly needed if urgent else send us an email/voice-mail

3) if we are not responding to an urgent need then a list of 10 people or so can have access to all the root passwords stored in envelopes with our security group by following a simple procedure to get the envelope/s (i update the envelopes/passwords later due to them being accessed)

is this a OK? my concern is that people want root access to satisfy their convenience at the expense of mine. i feel that problems are reduced when less people have access to root ...regardless of their skills/needs

keep in mind that my systems are very stable and more often then not when people have asked to have root access it was for tasks that did not need to be done as root

i have a meeting tomorrow and would absolutely appreciate any guidelines/support/criticism/etc...

FYI: i do have sudo setup and tweaked as needed for some users/commands but i actually do not like this, nor do i like setuid scripts which i am also using to satisfy some users ...in the end i am trying my best to find a balance between users and me since the servers are not for me or for the users as much as they are for some task/application/job...

Re: who should have root access

Steven E. Protter — Tue, 01 Nov 2005 14:53:35 GMT

Only admin's should have root password.

Operations doesn't need it, you can use sudo to give them any functionality they need.

Good plan.

SEP

Re: who should have root access

Kent Ostby — Tue, 01 Nov 2005 14:54:34 GMT

Marc --

It sounds like a reasonable plan to me. We do something similar -- four people have root and we are suppossed to log into our own root account and "su -" to root so that there is at least some trail to what is going on.

What are the specific reasons that he wants root? Are they things you could accomplish with "sudo" (despite your not liking it)?

Re: who should have root access

James R. Ferguson — Tue, 01 Nov 2005 14:55:03 GMT

Marc:

You have summarized the usual request well: "...people want root access to satisfy their convenience [your] expense".

I think you have provided very adequate access given that you respond to requests; have a backup support person; and in an emergency have provided a route to access.

In my opinion, those who would have to clean up a mess tend to take better care not to make a mess in the first place. Stand firm.

Regards!

..JRF...

Re: who should have root access

Marvin Strong — Tue, 01 Nov 2005 15:04:04 GMT

Well IMO only the admins should have root.

There are rare occasions when someone other than an admin needs root for certain commands.
And sudo could be setup for those commands. However be careful because there are some commands that can be exploited.

Re: who should have root access

A. Clay Stephenson — Tue, 01 Nov 2005 15:12:13 GMT

Your approach is reasonable although there does need to be some time limits in your standards (such as if no response within 30 minutes then ...). Also, 10 or so people when two are able to handle the normal load seems very excessive. You are really setting yourself up for the scenario where an "unused" disk (LUN, LVOL, ...) get used disastrously --- and, of course, the answer is "I didn't do it."

Ultimately, you are responsible for whatever happens so you should be in control. If this were me rather than your "10 or so" approach, I would prefer to add another trusted admin to your present group of two and make sure that at least one of you is available (or on call) at all times.

The thought of setuid scripts scares me to death; those are security bombs waiting to explode. Sudo is the far better approach but sudo'ed tasks should be tightly controlled and extremely limited in scope.

Re: who should have root access

Torsten. — Tue, 01 Nov 2005 15:18:08 GMT

IMHO, if you give the passwords away, where is the reason to have passwords? Why you have secured doors to your computer rooms?

If you give the password to users, do you know if other users get it too?

You are loosing control! Remember, root can do everything and all you know is, this was root. I would stay with the current procedure.

Re: who should have root access

Rick Garland — Tue, 01 Nov 2005 15:18:29 GMT

Only admins should have root. Managers may want to have access to the root passwd in case of disaster.

Setup the admins in the wheel group. Only members of the wheel group have access to the root account. Even if the passwd is known throughout only wheel group members can become root. (Do a 'man security' to see this option and others)

Configure the /etc/securetty to allow root login only on console.

Lots of access policies to review

Re: who should have root access

DCE — Tue, 01 Nov 2005 15:56:59 GMT

It appears like our systems are designed quite well. Root password should be restricted, and you seem to have a very good process in place.

If the systems are stable, there should be no need for users to access the system as root. I have managed some systems for years with out this type of request. On the other hand I had a couple of systems where the users went up the ladder far enough to get the authorization - until one of them inadvertently wiped out an oracle database.........

When a user logs in as root, you have no audit trail, and no way to show what he did - not a good idea.

Re: who should have root access

Rick Garland — Tue, 01 Nov 2005 16:04:12 GMT

A point to be made - are your systems ever audited? Do you have outside auditors come in and try to tell you what is wrong?

Of all things the auditors may try to tell you that is wrong with your systems, the one item that they are correct in is the access to the root account.

If you have users that need to run/access their stuff, check the permissions and ownerships. This can be (and is) the 1st line of defense for securing your systems. Access to root is not required to view a user's files if the perms are set correctly.

Re: who should have root access

Marc Ahrendt — Tue, 01 Nov 2005 17:40:19 GMT

wow ...too many responses to give individual feedback!

thx for all your comments (more are welcome)! they are very helpful and it seems that what i am doing overall is not uncommon and very good practice.

below is what i plan to modify, if my manager allows me to keep the control to continue what i have setup for the past ~5 years
1) as clay stated, define better time limits ...how long to wait on me responding to a call/page/email
2) as kent & rick stated, possibly make people access root from other accounts to help track future use

Re: who should have root access

Chris Wilshaw — Tue, 01 Nov 2005 18:37:05 GMT

When I started with my current company 8 years ago, virtually everyone had root access to the servers - 1st line support, 2nd line support, 3rd line unix admins (fair enough!) DBA's, system developers etc. - approximately 40 people.

Since I moved to the 3rd line team, I've been cutting back on access piece by piece. Needless to say, there have been complaints/concerns raised by people about this loss of access, but this has mostly been people worrying that they'll no longer be able to perform their jobs correctly. A few weeks ago, I finally got it to the stage where only my team (who really need this access) know the passwords. I've been fortunate to have management backing me up on this all the way too.

As others have said - mistakes happen (we all make them, no matter how small). The fewer people that have the capability to wreak havoc on the systems with a mis-typed command, the better.

Clearly, you're in a fortunate position having only 2 of you really knowing the password to start with - people can't miss what they never had.

Sudo, and similar products are an absolute must in most modern environments - apart from anything else, you have the capability to easily audit whatever commands are being executed.

Another consideration that is now affecting many of us is Sarbanes-Oxley, and often internal/external security audits. The controls that are now being insisted on are becoming ever more strict, so it's worth finding out what impact this is likely to have on your company if you don't already.

All in all, it sounds to me like you have a good foundation to work from - don't give it up!

Re: who should have root access

Geoff Wild — Tue, 01 Nov 2005 19:00:17 GMT

I too agree with the rest - only someone who is a sysadmin should be root.

Use sudo to grant individual commands that others need to do on a repetitive basis - as long as they aren't destructive commands.

Like, you may want power users to be able to kill others print jobs...

Things like that.

DON'T setuid!

There should not be a reason to use root in order to keep applications up and running.

Rgds...Geoff

Re: who should have root access

rmueller58 — Wed, 02 Nov 2005 09:20:20 GMT

I am the sole Unix admin in our organization, however, as I have a manager and a director that back me up, they have root access as well. Also, our helpdesk mgr acts as my backup and periodically is required to run scripts as root, but generally not.

My manager defines security policy, my responsibility beyond the Unix system is to backup our Microsoft geeks, and in turn they back me up, so all told we have 8 people with root capability.

I agree with Clay, as root job processing will take precedent. It is agreed practice that I will script and menu those items that may require root / wheel group level intervention..

I've been with my company for 5 yrs, and have set my UX systems up within standard specs for L&nux, HP/UX, SunOS, and my manager preceded me in my position so.

It is important to consider that when you have a system that there are some basic protocols for recovery and business continuity in the event you aren't there. This is another part of the scenario to consider. We worked hard at defining a business continuity plan. If god forbid the sys admin dies in a car crash, or is wiped out by a tornado, the business will need to keep plugging. Document the processes well.

Re: who should have root access

Patrick Wallek — Wed, 02 Nov 2005 09:29:44 GMT

If one really wants to be paranoid, you can take root away from EVERYONE, sys admins included.

I read an article at one point in which the author said that no one in his shop knew the root password. ALL sys admins did what they needed to do via sudo, which is entirely plausible. Sudo does allow you a bit more logging and tracking of who is doing what.

The author of the article ran a script that would change the root password once a day to some random string of characters and numbers. If they absolutely had to log in as root, they would suspend the cron job, change the root password and do what they needed to do.

Granted this case is extreme, but it is another option.

http://www.samag.com/documents/s=9494/sam0502h/0502h.htm

Re: who should have root access

Mel Burslan — Wed, 02 Nov 2005 09:46:27 GMT

As everyone else has indicated, root capability, even with the sudo enabled root capability, should be dispensed with extreme care. In my organization, we have 6 admins who can have this kind of elevated privilege access. Of course everytime a consultant comes in to install a new software or do an upgrade, the conversation goes somthing like this:

Consultant: "what's the root password ?"
Me: "huh ?"
C: "password for root, you know the superuser"
Me: "And your point is ??"
C: "I need to install/upgrade such and such and I need it"
Me: "No you don't!"
C: "Yes I do, here is the document which says I need root access"
Me: "That is a document that you have written for your convenience not necessarily a reflection of facts. Call me when you need root access. Here's my extension number. Bye..."

then 5 days into the process phone rings:

C: "uuhhh, can you run the program (he is referrign to a script which sets a sticky bit on 3 executables) /usr/local/bin/root.sh ?
Me: "sure. (3 seconds later) done..."
C: "Thanks"

And more often than not, I never hear back from him.

Yes, if I had given him the root or equivalent access, it would have made his life much easier but at the same time, would have made mine much harder because he made a stupid typo somewhere, rendering my system useless. How many times someone unknowing with root privilege run a chmod -R on one of your vital filesystems and bring the system down to its knees ?

So, word of caution: do not give the actual root password to anyone, even yourself (if you do not use it long enough you will also forget, believe me, especially if it is something cryptic as it should be) and dispense the sudo or similar functionality provided elevated privilege access with caution and with as fine granularity as you possibly can deal with.

There's always a hotshot and they always find you to make your life miserable otherwise.