Comments on: root == Bad http://itsjustanotherlayer.com/2008/12/root-bad/ Virtualization is a layer in software. What are you abstracting away from? Sun, 05 Sep 2010 12:56:49 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: iguy http://itsjustanotherlayer.com/2008/12/root-bad/comment-page-1/#comment-50 iguy Sun, 28 Dec 2008 20:34:45 +0000 http://itsjustanotherlayer.com/?p=51#comment-50 @Cody: I don't follow you quite clearly Cody. I ssh into around a hundred ESX Hosts currently using a home grown framework for management and auditing for this environment. So these actions aren't manual. The key is I'm not sshing into everyone of these machines with the root account. Instead each engineer uses their own credentials and as such this is well audited as who did what when. Can I prevent someone from running "sudo rm -rf"? No. Can I figure out who did it? Yes. If they were using root or some other shared account could I figure out who did it? Not unless they admit to it. There is a point where you have to have some faith or trust in the individuals that have the power. The best you can do realistically is to limit who have that level of power as much as reasonable while balancing the age old debate of security where you can't do anything versus flexibility to get your job done. @Vishnu: What privileges do you need? I'll have to look into this again and try it. @Cody: I don’t follow you quite clearly Cody. I ssh into around a hundred ESX Hosts currently using a home grown framework for management and auditing for this environment. So these actions aren’t manual. The key is I’m not sshing into everyone of these machines with the root account. Instead each engineer uses their own credentials and as such this is well audited as who did what when. Can I prevent someone from running “sudo rm -rf”? No. Can I figure out who did it? Yes. If they were using root or some other shared account could I figure out who did it? Not unless they admit to it.

There is a point where you have to have some faith or trust in the individuals that have the power. The best you can do realistically is to limit who have that level of power as much as reasonable while balancing the age old debate of security where you can’t do anything versus flexibility to get your job done.

@Vishnu: What privileges do you need? I’ll have to look into this again and try it.

]]> By: Vishnu Mohan http://itsjustanotherlayer.com/2008/12/root-bad/comment-page-1/#comment-48 Vishnu Mohan Sun, 28 Dec 2008 14:46:24 +0000 http://itsjustanotherlayer.com/?p=51#comment-48 You technically don't need a root account on the ESX host to add it to VirtualCenter. A user account with the correct privileges would suffice. You technically don’t need a root account on the ESX host to add it to VirtualCenter. A user account with the correct privileges would suffice.

]]> By: Cody http://itsjustanotherlayer.com/2008/12/root-bad/comment-page-1/#comment-46 Cody Sun, 28 Dec 2008 04:31:22 +0000 http://itsjustanotherlayer.com/?p=51#comment-46 One point of contention: "Anyone that immediately says these are trivial never has had to maintain this for thousands of accounts from the top down to the actual account. It might be simple to do though when you start adding this to every procedure you have, it adds up. Now why would you need another root account? I’m doing everything I can to get rid of all usage of it. sudo does 99.99% of everything I need to do with root level privileges in ESX." If you are already sshing, into thousands of ESX servers to do maintenance, then the benefit/non-benefit of having this is moot, and your management/design should likely be revisited. That said, in this case, it's just one of those things available to you. Logging into ESX and doing "sudo rm -rf /" isn't smart either, but it can be done. One point of contention:

“Anyone that immediately says these are trivial never has had to maintain this for thousands of accounts from the top down to the actual account. It might be simple to do though when you start adding this to every procedure you have, it adds up.

Now why would you need another root account? I’m doing everything I can to get rid of all usage of it. sudo does 99.99% of everything I need to do with root level privileges in ESX.”

If you are already sshing, into thousands of ESX servers to do maintenance, then the benefit/non-benefit of having this is moot, and your management/design should likely be revisited.

That said, in this case, it’s just one of those things available to you. Logging into ESX and doing “sudo rm -rf /” isn’t smart either, but it can be done.

]]> By: Jason Boche http://itsjustanotherlayer.com/2008/12/root-bad/comment-page-1/#comment-45 Jason Boche Sun, 28 Dec 2008 03:57:05 +0000 http://itsjustanotherlayer.com/?p=51#comment-45 You obviously work in the trenches. In the real world. Like me. You obviously work in the trenches. In the real world. Like me.

]]>