HPE Community
Operating System - HP-UX
1755707 Members
4859 Online
108837 Solutions
New Discussion юеВ

Root password

 
SOLVED
Go to solution
A. Clay Stephenson
Acclaimed Contributor

тАО10-25-2001 06:59 AM

тАО10-25-2001 06:59 AM

Re: Root password

Hi Clara:

Tell them you want the sys and system Oracle passwords and see what they say. At virtually every site at which I've worked this request comes up and I always say no. The duties are very different and the last thing that you want is for one of those guys to find a nice unused disk (i.e. no filesystem is mounted) and grab your swapspace. There are actually very few times when uid 0 is needed and in the worst case I would create a very small set of setuid wrappers on install sudo to do the same thing on a very limited number of commands. Pfs_mount is tricky enough without having a bunch of DBA's really messing it up.


Clay
If it ain't broke, I can fix that.
Reply
John Bolene
Honored Contributor

тАО10-25-2001 07:04 AM

тАО10-25-2001 07:04 AM

Re: Root password

I agree, not a chance, don't do it.
Our DBA's have never asked and have never needed it.

Ask what they need it for.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
Reply
Wodisch
Honored Contributor

тАО10-25-2001 07:16 AM

тАО10-25-2001 07:16 AM

Re: Root password

Hello Clara,

just another voice to say "no"...

DBAs do NOT need it, all they need are proper permissions of the mount-points, file-systems, raw-devices and config-files they need/use, but NOTHING about UN*X-administration.
You migh try telling them, that they have to pass the HP-UX administration certification and the BrainBench UN*X admin certification (and something the like else), before they can get super-user-access on *your* machines.
If they sign you a general "it is my fault" statement with a proof of their insurance covering the costs for a multi-hour-downtime of *your* systems, you can start considering it :-)

Just my $0.02,
Wodisch
Reply
Darrell Allen
Honored Contributor

тАО10-25-2001 07:21 AM

тАО10-25-2001 07:21 AM

Re: Root password

DBAs the world over want root authority. So do a lot of developers, operators, hackers...

Don't give it! SAs are charged with the security of the systems and are responsible for such. No one else needs root (including pointy-haired managers who don't have a clue about UNIX but do like power). There are tools to give neccessary priviledges to those who really do need it.

If someone outside the sysadmin group has root, they can have the whole box as far as I'm concerned because I can no longer be responsible for the integrity of the box.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
Reply
Alan Riggs
Honored Contributor

тАО10-25-2001 07:26 AM

тАО10-25-2001 07:26 AM

Re: Root password

*ditto*

Unix is a multi user OS and every commercial database vendor for the last quarter century has segregated the roles of systems administrator and database administrator into separate users.

Coincidence? I think not.

Root privelege should be guarded closely and zealously. Trust me, the first time you lose a production system to a well-meaning but less-than-fully-competent coworker you will learn that lesson for all time.
Reply
Clara Rowe
Frequent Advisor

тАО10-25-2001 07:40 AM

тАО10-25-2001 07:40 AM

Re: Root password

Thank you one and all for confirming what I knew to be true. I just wanted to have you experts back me up on my position. I intend to say NO to the Oracle DBA's but your comments will help management see that this is the norm.

Thanx again you are the best!

Clara
Take time to smell the roses.
0 Kudos
Reply
David Lodge
Trusted Contributor

тАО11-11-2001 05:51 AM

тАО11-11-2001 05:51 AM

Re: Root password

Just to put a point forward from the opposition.

At my old place of work DBAs and SAs where strongly segregated, this generally worked fine with a few areas of contention (eg not enough disc space for expansion, problems editing various files.)

At my current place of work the DBA and SA roles have been mangled together and no matter what people will think it does work.

There are arguements for both sides of this:
Against: DBAs don't know what they are doing (but neither do a lot of SAs)
For: Greater efficiency (but greater risk of damage)

I could continue for pages in the above vein... Essentially look at *your* DBAs - would *you* trust them with your passwords? Would they trust you with their's?

If not look at sudo - it will allow them to do important DBA things without giving them full root access - but be careful; eg don't let them run 'vi' under sudo etc...

dave (the SA, but part time DBA!
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.