nv-l
[Top] [All Lists]

Re: [nv-l] Root Authority

To: "Gavin Newman" <NEWMANGJ@banksa.com.au>, <nv-l@lists.tivoli.com>
Subject: Re: [nv-l] Root Authority
From: "Dermott" <DermottA@Attbi.com>
Date: Sun, 30 Jun 2002 23:33:32 -0400
Reply-to: "Dermott" <dermottA@Attbi.com>
The benefit here is accountability.  You know who made changes and when they 
were logged in,
as opposed to multiple people logging in as "root" and all running shells and 
programs being owned by "root".  Sure I could (did)
bring systems & subsystems down, but every one knew it was me, not just someone 
logged in as root.

Plus having my (root equivalent) login name or our "NetviewAutomation" id (with 
UID 0) show up in the process table made it easy to
differentiate system process' from my own Netview custom addin's thus making it 
easier to kill off questionable process' when there
were "issues" with Netview.

Good Luck,
--Dermott

----- Original Message -----
From: "Gavin Newman" <NEWMANGJ@banksa.com.au>
To: <nv-l@lists.tivoli.com>
Sent: Sunday, June 30, 2002 10:05 PM
Subject: [nv-l] Root Authority


Leslie

I must be missing something here, what is the point in protecting the password 
assigned to the user who has the name "root" and the
UID 0 by giving other users UID=0. By doing so they have root powers, can do 
anything the user "root: can do using their own
password and therefore don't need to know the user root password.

The name "root" has no power, the UID=0 certainly does.

Cheers - Gavin :)



Now why would I tell them that? ;)
Really, I think the point of that maneuver is to protect the
root password. The other uid 0 users don't need to know
the password used for root by the system administrator.
I guess it all depends on what they are paranoid about.

Cordially,

Leslie A. Clark
IBM Global Services - Systems Mgmt & Networking
Detroit




                      "Gavin Newman"
                      <NEWMANGJ@banksa.        To:       <nv-l@lists.tivoli.com>
                      com.au>                  cc:
                                               Subject:  [nv-l] Root Authority
                      06/27/2002 07:05
                      PM





Leslie

In your second paragraph you say that sites add a "non-root user with a uid
of 0"

They should be aware that it is not the name "root" that has the magic
powers but the uid number 0. You can have any number of names, each with a
UID of 0, and they all have "root power" so if the sites you refer to think
they have circumvented the root "problem" then they are probably in for a
surprise....

Cheers - Gavin

>>> "Leslie Clark" <lclark@us.ibm.com> 27/06/2002 21:27:07 >>>
Of the one hundred or so sites where I have implemented Netview, I have
encountered only three that absolutely would not give root to the Netview
administrator. In all three cases those customers followed a policy of
pushing out a common /etc/passwd file to all AIX systems, so a common
root password was in use for all systems.  Not a fashionable approach,
but not all that uncommon.

Some sites add a non-root userid with an effective uid of 0, allowing
most function without the user needing to know root's password. I have
not seen this lately and don't know what the limitations might be if any.
The sudo approach is pretty common and seems to work well.

Many sites with strict AIX support teams simply opt out of AIX support.
They would rather go it alone than put up with the delays involved in
getting someone to come over and type something in for them.

I personally always put it right in the contract that I will have root
access
while I am onsite implementing Netview. Time is money, after all.

Cordially,


---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com

*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)





---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com

*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)

---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com

*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)




<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web