HPE Community
Operating System - HP-UX
1824994 Members
2211 Online
109678 Solutions
New Discussion юеВ

Root password

 
SOLVED
Go to solution
Clara Rowe
Frequent Advisor

тАО10-25-2001 06:45 AM

тАО10-25-2001 06:45 AM

Root password

Dear Experts,
This one should be easy for you, I just want your opinions. The DBA's in our shop say they need to have the root password. What are your thoughts?

Thanx.
Clara
Take time to smell the roses.
0 Kudos
Reply
16 REPLIES 16
Craig Rants
Honored Contributor

тАО10-25-2001 06:48 AM

тАО10-25-2001 06:48 AM

Solution

Re: Root password

Install sudo and give them access to the commands they need, that will create a definative list of what they need and not make you look like that bad guy.
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
Reply
Uday_S_Ankolekar
Honored Contributor

тАО10-25-2001 06:50 AM

тАО10-25-2001 06:50 AM

Re: Root password

Hi,

My answer is NO..

The DBA related tasks can sure be handled by by them with the proper permissions and groups and for the System admin tasks you are there to help them.
Ask them why they want the root password..? Inface you can give them restricted permission to do some of admin jobs. by restricted sam. (sam -r)
or you can use sudo utility and have control on their "system administartion"


-USA..
Good Luck..
Reply
Sachin Patel
Honored Contributor

тАО10-25-2001 06:52 AM

тАО10-25-2001 06:52 AM

Re: Root password

Hi Clara,
If I were you I say no. What is there requirement? Why they need root accesss? You can setup sudo or super for it.
If it is small compan. and only few system I will do it. It it is big comp. and lots of different department handle by different persons I will not.

Sachin
Is photography a hobby or another way to spend $
Reply
Santosh Nair_1
Honored Contributor

тАО10-25-2001 06:52 AM

тАО10-25-2001 06:52 AM

Re: Root password

I would say absolutely not. I understand that Oracle needs some scripts run as root when you first install it, but that's a one time thing. The DBAs should be able to do their jobs without root permissions since all the database files are usually owned by the DBA.

Also, it would help if you mentioned which database product they administer.

Hope this helps.

-Santosh
Life is what's happening while you're busy making other plans
Reply
James Beamish-White
Trusted Contributor

тАО10-25-2001 06:53 AM

тАО10-25-2001 06:53 AM

Re: Root password

This is an exerpt from an oracle security document by Mike Henderson:

The DBA position, and that of the root user, are trusted positions. It is almost impossible to subdivide the job specifications into roles where no one person can do 'too much' and still perform the role effectively in a commercial environment.

I'm not a DBA, I'm a sysadmin, so I don't know what their role entails that can't be got around by having their sysadmin do file system resizing and kernel tuning, but hey, I'm not the DB expert, Mike Henderson is supposed to be...

Cheers,
James
GARDENOFEDEN> create light
Reply
Patrick Wallek
Honored Contributor

тАО10-25-2001 06:55 AM

тАО10-25-2001 06:55 AM

Re: Root password

I must echo everyone else's statements.

Do NOT give the DBA's unlimited root access. If they screw something up inadvertantly, will they tell you EXACTLY what they did? Probably not. And guess who gets to figure out what happened? :)

Install sudo. You can set sudo up so that they can run only what they absolutely have to, and they don't have the root passwd.

The root passwd should be given to the abolute minimum number of people possible.
Reply
linuxfan
Honored Contributor

тАО10-25-2001 06:57 AM

тАО10-25-2001 06:57 AM

Re: Root password

Hi Clara,

The simple answer is NO. Most of the times they only need root access to run the root.sh script while installling oracle, you can set up sudo and give them access to run that script.

The best solution is sudo, rather than giving out root access

You can find out more about sudo from

http://www.courtesan.com/sudo/

-Regards
Ramesh
They think they know but don't. At least I know I don't know - Socrates
Reply
James R. Ferguson
Acclaimed Contributor

тАО10-25-2001 06:57 AM

тАО10-25-2001 06:57 AM

Re: Root password

Hi:

I don't provide my DBA's with a root password, either. I've got scripts they can use for things like pfs_mounts and beyond that, I'm happy to assist when they need root access.

Regards!

...JRF...
Reply
Rainer von Bongartz
Honored Contributor

тАО10-25-2001 06:58 AM

тАО10-25-2001 06:58 AM

Re: Root password

root is root and DBA is DBA. That's how it't supposed to be and there should be no need to give away the root password just to admin a database ( At least not for ORACLE,INFORMIX or DB2).

He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО10-25-2001 06:59 AM

тАО10-25-2001 06:59 AM

Re: Root password

Hi Clara:

Tell them you want the sys and system Oracle passwords and see what they say. At virtually every site at which I've worked this request comes up and I always say no. The duties are very different and the last thing that you want is for one of those guys to find a nice unused disk (i.e. no filesystem is mounted) and grab your swapspace. There are actually very few times when uid 0 is needed and in the worst case I would create a very small set of setuid wrappers on install sudo to do the same thing on a very limited number of commands. Pfs_mount is tricky enough without having a bunch of DBA's really messing it up.


Clay
If it ain't broke, I can fix that.
Reply
John Bolene
Honored Contributor

тАО10-25-2001 07:04 AM

тАО10-25-2001 07:04 AM

Re: Root password

I agree, not a chance, don't do it.
Our DBA's have never asked and have never needed it.

Ask what they need it for.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
Reply
Wodisch
Honored Contributor

тАО10-25-2001 07:16 AM

тАО10-25-2001 07:16 AM

Re: Root password

Hello Clara,

just another voice to say "no"...

DBAs do NOT need it, all they need are proper permissions of the mount-points, file-systems, raw-devices and config-files they need/use, but NOTHING about UN*X-administration.
You migh try telling them, that they have to pass the HP-UX administration certification and the BrainBench UN*X admin certification (and something the like else), before they can get super-user-access on *your* machines.
If they sign you a general "it is my fault" statement with a proof of their insurance covering the costs for a multi-hour-downtime of *your* systems, you can start considering it :-)

Just my $0.02,
Wodisch
Reply
Darrell Allen
Honored Contributor

тАО10-25-2001 07:21 AM

тАО10-25-2001 07:21 AM

Re: Root password

DBAs the world over want root authority. So do a lot of developers, operators, hackers...

Don't give it! SAs are charged with the security of the systems and are responsible for such. No one else needs root (including pointy-haired managers who don't have a clue about UNIX but do like power). There are tools to give neccessary priviledges to those who really do need it.

If someone outside the sysadmin group has root, they can have the whole box as far as I'm concerned because I can no longer be responsible for the integrity of the box.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
Reply
Alan Riggs
Honored Contributor

тАО10-25-2001 07:26 AM

тАО10-25-2001 07:26 AM

Re: Root password

*ditto*

Unix is a multi user OS and every commercial database vendor for the last quarter century has segregated the roles of systems administrator and database administrator into separate users.

Coincidence? I think not.

Root privelege should be guarded closely and zealously. Trust me, the first time you lose a production system to a well-meaning but less-than-fully-competent coworker you will learn that lesson for all time.
Reply
Clara Rowe
Frequent Advisor

тАО10-25-2001 07:40 AM

тАО10-25-2001 07:40 AM

Re: Root password

Thank you one and all for confirming what I knew to be true. I just wanted to have you experts back me up on my position. I intend to say NO to the Oracle DBA's but your comments will help management see that this is the norm.

Thanx again you are the best!

Clara
Take time to smell the roses.
0 Kudos
Reply
David Lodge
Trusted Contributor

тАО11-11-2001 05:51 AM

тАО11-11-2001 05:51 AM

Re: Root password

Just to put a point forward from the opposition.

At my old place of work DBAs and SAs where strongly segregated, this generally worked fine with a few areas of contention (eg not enough disc space for expansion, problems editing various files.)

At my current place of work the DBA and SA roles have been mangled together and no matter what people will think it does work.

There are arguements for both sides of this:
Against: DBAs don't know what they are doing (but neither do a lot of SAs)
For: Greater efficiency (but greater risk of damage)

I could continue for pages in the above vein... Essentially look at *your* DBAs - would *you* trust them with your passwords? Would they trust you with their's?

If not look at sudo - it will allow them to do important DBA things without giving them full root access - but be careful; eg don't let them run 'vi' under sudo etc...

dave (the SA, but part time DBA!
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.