Re: Security Wonks ate my hamster.

From: John Piwowar <jpiwowar_at_gmail.com>
Date: Wed, 23 Mar 2016 06:16:40 -0700
Message-ID: <CAJgcjAAa6EgC8roeVgbkTC71NEvLwjqb15sq+woQbvBN-JK1xw_at_mail.gmail.com>

Well...it depends. :)

I'm not a sysadmin, but most DBAs at a certain experience level have to develop at least "junior sysadmin" skills, and that's about where I am. I have yet to encounter a day-to-day admin task that couldn't be handled with sudo. Maybe the stuff that requires knowing the root password is momentous enough that knocking on the door and asking the boss to open the safe is appropriate.

There's a difference between "root-level access" and "access to root password." The nice thing about using sudo is that everything that is executed (or unsuccessfully attempted) as a privileged user can be logged and audited.

IMO even sysadmins benefit from the discipline of using sudo, even if it's just logging into the box with a personal account and executing "sudo -u root bash". ;)

Interesting point you mentioned here, though: if you are *the* sysadmin for the server (or even *a* sysadmin), then your job role implies a particular level of trust/responsibility. Depriving you of the root password doesn't really do much except impede your ability to execute that role in an emergency. Separation of duties is different everywhere, so I don't want to read too much into your org structure, but I really wonder about about the motivation of taking the keys away from the guy entrusted to drive the bus.

On Wednesday, 23 March 2016, Howard Latham <howard.latham_at_gmail.com> wrote:

> I am also the Sysadmin! And as I understand it certain things HAVE to be
> done as root.
>
> On 23 March 2016 at 12:51, John Piwowar <jpiwowar_at_gmail.com
> <javascript:_e(%7B%7D,'cvml','jpiwowar_at_gmail.com');>> wrote:
>
>> As a DBA I'd prefer *not* to have access to the root password, and
>> instead have my user/group included in a thoughtfully-constructed sudoers
>> file.
>>
>> If locking the root password in a safe is what counts as secure, though,
>> then selling permission to use sudo might be a bridge too far. ;-)
>>
>> On Wednesday, 23 March 2016, Howard Latham <howard.latham_at_gmail.com
>> <javascript:_e(%7B%7D,'cvml','howard.latham_at_gmail.com');>> wrote:
>>
>>> Our IT Director has decided only he will have root access to out 4 linux
>>> Database Servers . And the password will be held in a safe, Does these mean
>>> I can no longer do the administration or Linux / Oracle or does his idea of
>>> creating new account solve it?
>>>
>>> --
>>> Howard A. Latham
>>>
>>>
>>>
>>
>> --
>> Regards,
>>
>> John P.
>>
>> (Typed with thumbs on a mobile device. Lowered expectations appreciated)
>>
>>
>
>
> --
> Howard A. Latham
>
>
>

-- 
Regards,

John P.

(Typed with thumbs on a mobile device. Lowered expectations appreciated)

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Mar 23 2016 - 14:16:40 CET

This message: [ Message body ]
Next message: Rich J: "Re: Security Wonks ate my hamster."
Previous message: rajendra.pande_at_ubs.com: "RE: Security Wonks ate my hamster."
In reply to: Howard Latham: "Re: Security Wonks ate my hamster."
Next in thread: Rich J: "Re: Security Wonks ate my hamster."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message