Re: Sys Admins Wanted

Colin Panisset (Colin.Panisset@nospam.nms.otc.com.au)
Wed, 4 May 1994 11:34:52 +1000 (EST)

Once upon a time, Dennis Clark was heard to say:

} 5 is a lot for 1 machine, but I suppose we need that many seeing none of
} them will be working on ftoomsh full-time.

Implement a change log on the machine. Cause it to be updated after every
command-as-root. MAKE IT USED! This is the only way you're going to have
any idea of what's going on with a machine. We have two admins working on
the same machines here (yes, I'm one), and without some kind of decent
logging procedure we'd have trodden on each others toes many
a time.

} May I suggest not giving
} them all the root password, and instead allow them to use some
} su-root-but-type-your-own-password-instead program like they have in
} SoCS.

Look into 'sudo' -- it allows certain commands to be executed, and logs the
commands in a command file as they're executed. Unless people are rigidly
self-controlled, you'll get people copying /bin/sh to their home directories
and setuid-root'ing them. And then they'll edit the log so that it doesn't
appear.

No, I've never done this before, it wasn't me at all.

} This makes it easier to tell different roots... err admins apart
} when they're logged in. Have only the Computer Systems Officer have the
} root password, with the console bootable to single-user mode in case
} s/he gets run over by a large road vehicle.

Provided the console isn't user-accessible.

Write the root password in a log somewhere and have it stored in a place
that only a responsible person can get to it (suggest -- locked drawer in
Sbug's or Peter Gale's desks... locked cabinet in machine room.)

-- Colin.