I’ve been reading a bunch of posts that have been covering the idea of “making another root account”. I read this KB article from VMware when it first came out and said “how dumb, no thanks”. I didn’t realize it would cause such a stir.
When I design new systems and deploy new applications and processes at my work, a large part of the discussion in my mind is how much support work will this new procedure cause. Initial deployment is typically all a project planner thinks about. That is a small cost in the overall picture from my experience.
Adding an additional root level account introduces the following support issues:
- An account that has to be audited
- An account that has to have a regular password update which means tracking that password
- An account that needs to have the password distributed to various individuals
- An attack vector that must be considered or contained
Anyone that immediately says these are trivial never has had to maintain this for thousands of accounts from the top down to the actual account. It might be simple to do though when you start adding this to every procedure you have, it adds up.
Now why would you need another root account? I’m doing everything I can to get rid of all usage of it. sudo does 99.99% of everything I need to do with root level privileges in ESX. If I could add a host into VirtualCenter using a user account instead of root I’d be happy to disable logins using root. There is only one situation I can think of that I need root for and if the host is that screwed up, I’ll most likely be rebooting it anyways.
Not much use for root honestly. Fight the power. As a fellow blogger says so elegantly, “Just cause you can doesn’t mean you should”.
You obviously work in the trenches. In the real world. Like me.
One point of contention:
“Anyone that immediately says these are trivial never has had to maintain this for thousands of accounts from the top down to the actual account. It might be simple to do though when you start adding this to every procedure you have, it adds up.
Now why would you need another root account? I’m doing everything I can to get rid of all usage of it. sudo does 99.99% of everything I need to do with root level privileges in ESX.”
If you are already sshing, into thousands of ESX servers to do maintenance, then the benefit/non-benefit of having this is moot, and your management/design should likely be revisited.
That said, in this case, it’s just one of those things available to you. Logging into ESX and doing “sudo rm -rf /” isn’t smart either, but it can be done.
You technically don’t need a root account on the ESX host to add it to VirtualCenter. A user account with the correct privileges would suffice.
@Cody: I don’t follow you quite clearly Cody. I ssh into around a hundred ESX Hosts currently using a home grown framework for management and auditing for this environment. So these actions aren’t manual. The key is I’m not sshing into everyone of these machines with the root account. Instead each engineer uses their own credentials and as such this is well audited as who did what when. Can I prevent someone from running “sudo rm -rf”? No. Can I figure out who did it? Yes. If they were using root or some other shared account could I figure out who did it? Not unless they admit to it.
There is a point where you have to have some faith or trust in the individuals that have the power. The best you can do realistically is to limit who have that level of power as much as reasonable while balancing the age old debate of security where you can’t do anything versus flexibility to get your job done.
@Vishnu: What privileges do you need? I’ll have to look into this again and try it.