HPE Community
Operating System - HP-UX
1834079 Members
2552 Online
110063 Solutions
New Discussion

Re: root or non root

 
Allanm
Super Advisor

‎01-22-2008 04:09 PM

‎01-22-2008 04:09 PM

root or non root


Currently in our env we have root doing all the installation and administration of the applications like JBOSS / apache / all middlwares etc. My idea is to move to non root accounts so that things can be managed securely and in a better way.

Please suggest whether you have faced this situation before and how to deal with it in terms of moving the existing applications to non root user. What are the things that we need to take care of in order to seamlessly migrate over .
0 Kudos
Reply
4 REPLIES 4
Patrick Wallek
Honored Contributor

‎01-22-2008 05:20 PM

‎01-22-2008 05:20 PM

Re: root or non root

Many of these types of applications may require root to install them. That is fine. The application teams should coordinate with the systems administrators for installation.

However, day-to-day administration of these types of things should NOT require root. Your application teams/users should have their own user ids which they should use for their purposes.

In terms of moving existing applications to use non-root users for administration, they will probably be a difficult task. Things like this need to be looked at and planned prior to the products actually being installed.
0 Kudos
Reply
VK2COT
Honored Contributor

‎01-23-2008 02:50 AM

‎01-23-2008 02:50 AM

Re: root or non root

Hello,

I agree with Patrick.

You will have two kinds of issues:

a) Resistance by humans to stop
relying on root access for everything.

Various application admin teams often request
root access as though they cannot exist
without it.

By nature, humans are not keen on
changes. Even when the change looks good,
people like to stick to what they already
know or have.

Besides, lot of people like to
have root access. It gives them sense of power.

Personally, I prefer not to know root passwords :) It is too much trouble to
worry about them...

b) Technical problems:

1. Does given application need to open
the Well Known Ports (those from 0 through
1023)?

2. Was given application designed to
run as root (due to bad design or whatever)?

3. How many commands require privileged
access?

And so on.

Here is a brief plan of attack:

a) Read documentation for each application
and/or user account that supports it.

That includes contacting vendors as well.

And, of course, asking questions in Forums
like ITRC.

b) Analyze active ports on the server
and verify who is using them.

c) Talk to application support teams
in a friendly manner.

d) Make one change at a time - preferably
on a test/development server (if you have
one).

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
Heironimus
Honored Contributor

‎01-23-2008 01:50 PM

‎01-23-2008 01:50 PM

Re: root or non root

I've found very few applications that need root privileges to run. Everywhere I've gone it's been standard practice to install as root but run/manage as non-root, with sudo (or similar) access as appropriate.

You may have to push vendors a little when you start asking questions. Many of them (even big players like IBM) say to run things as root, but if you press they'll admit that it's only necessary in specific situations.

I predict that you'll get very tired of patiently explaining to people that you want to identify why something is failing instead of just doing it as root.
0 Kudos
Reply
Sorrel G. Jakins
Valued Contributor

‎01-23-2008 03:58 PM

‎01-23-2008 03:58 PM

Re: root or non root

The bickering over root access rapidly boiled over into a ridiculous situation, all emotion and no fact. So nobody gets it.

1. We build all our systems as a platform, and then use ignite to create production instances.

2. We make extensive use of sudo, to issue 'root'-level commands but with logging and accountability to particular users.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.