Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sol.ctr.columbia.edu!emory!gatech!prism!gt1111a From: gt1111a@prism.gatech.EDU (Vincent Fox) Newsgroups: comp.admin.policy Subject: Re: Policies concerning root privs Message-ID: <30593@hydra.gatech.EDU> Date: 4 Jun 91 19:43:55 GMT References: Organization: Georgia Institute of Technology Lines: 37 jgarb@csd4330a.erim.org (Joe Garbarino) writes: >I'm sure this has been discussed to death in other groups, but I >haven't seen it and this seemed to be an appropriate place. >I am responsible for some 40 workstations. These workstations are all >connected to the Internet, and are dispersed among 18 different >groups, each of which would like to have root privileges on their >machines. >Is this a good/bad idea? What policies have various sites developed >to deal with this question? If it's a bad idea, what are various >methods for dealing with groups that demand they have root privilege? >Any advice for sites on how to approach revoking privileges? I have yet to see any valid reason for my users to have root. The usual claims of "we need it so we can install our own software, etc" are rarely true. Particulary if your are running all these machines on NIS, it's better if only you have root. My rule is : If you want to be on my NIS, and have me make sure your machine is secured and runs reliably, I'm in the driver's set. The software installation issue I handle several ways. If it's just one product for one guy, why install it as root? Just load it into his home directory, for which root privs are rarely needed. If it's something that does need to be shared, they can schedule a time for me to drop by and do it. (Usually delaying things by 1-2 days for them, but saving them lots of time. Installing things like E-CAD can be tricky and require many calls to manufacturer for novices) The new automount facilities kill the problem of needing root to do mounts. And other programs COULD be setuid'ed as needed. -- Vincent Fox (That's Mr. Bucko to you)|Georgia Tech, the only place where Friday Georgia Tech, Atlanta GA |is only two working days away from Monday. SR-71: gt1111a@prism.gatech.edu | -- Uttered by David Sonnier during Pony Express:...!gatech!prism!gt1111a| CS3602 lab 5/10/1991 ~ 1730 EDT