Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!ut-sally!utah-cs!cetron From: cetron@utah-cs.UUCP (Edward J Cetron) Newsgroups: news.misc,news.sysadmin Subject: Re: Foothead, Foothead, on the net/Who's the biggest liar yet? Message-ID: <4510@utah-cs.UUCP> Date: Sun, 19-Apr-87 23:49:50 EST Article-I.D.: utah-cs.4510 Posted: Sun Apr 19 23:49:50 1987 Date-Received: Tue, 21-Apr-87 00:17:50 EST References: <1128@cartan.Berkeley.EDU> <1065@epimass.UUCP> <5553@eddie.MIT.EDU> <5558@eddie.MIT.EDU> Reply-To: cetron@cs.utah.edu.UUCP (Edward J Cetron) Organization: Center for Engineering Design, Univ of Utah Lines: 62 Summary: when its MY ass, you bet I'll cover it!!!! Xref: mnetor news.misc:288 news.sysadmin:123 In article <5558@eddie.MIT.EDU> ooblick@eddie.UUCP (Mikki Barry) writes: [...] ->An important factor that everyone seems to have missed here is that ->Foothead's home directory was PROTECTED. I have spoken to foothead on -> [...] -> ->And I do not like the fact that you appear to be using your root privs ->to look through protected directories. I also don't like faked news and/or ->mail articles. If it is proven that fh did it, great. Kick him off the ->net forever. But trashing someone before you have proof is reprehensible. -> ->Mikki Barry 1. kicking anyone off without proof, i agree, is totally wrong. On the other hand, TEMPORARILY disabling an account and contacting the owner to ascertain what has/is happening IS legit. But in OUR shop, if/when it becomes permanent, you can bet a formal written letter is sent. but this is my main point, the following is: 2. On the machines that I am responsible for, its my ass on the line. If one of our users starts to abuse the network, fake mail, run an illegal escort service :-) or whatever from one of our machines, I'm going to catch it just as bad as the offender (and you can bet I will pass it on). If AFTER sufficient evidence or complaints are filed/found, I WILL ABSOLUTELY USE ANY OF MY ROOT/SYSTEM PRIVILEGES TO GET TO THE BOTTOM OF THE SITUATION. This is not to say I will unilaterally 'trash' a user (even though it is explained to ALL users that I can and will if I deem it necessary) but it is also understood that the machines in our facility are the center's NOT the users and that NOTHING on the machines is considered sacrosanct. Only on two occasions have I ever had to use those root permissions: a) The lab was expecting a critical letter from an outside source (just so happened to be mit :-) ) and the student whose account it was to be sent to was gone for three days, so i monitored syslog until it arrived and pulled it out of his directory. NOTE: this was lab business NOT personal mail and gov't contracting agencies wait for no man. b) we had a professor in one of the dept's who seemed to be raiding student accounts for neat programs. After a student complained we monitored his account. sure enough, several programs auto-magically appeared in his account which had the same checksum as those in student accounts (and no, the students were not his). Unfortunately, due to internal politics of this other dept., in spite of the evidence, we could do nothing (not to mention this prof had root privs) except cut off his root priv's. (though we finally got even using a trojan horse program which he then also stole.....:-)) Both times I 'snooped', neither time did I feel guilty. I, and the lab, expect our personal to be professionals and as such we respect their privacy as much as possible - UP TO A POINT. If we see abuse or here of it from reliable channels, I will investigate it using whatever means is appropriate, if that means snooping, so be it. If Ambar trashed an account without due reason, then that WAS wrong, but to complain about using root priv's to obtain evidence is crap. -ed cetron Computer Services Manager Center for Engineering Design Univ. of Utah cetron@cs.utah.edu cetron@utahcca.bitnet