UNIX Systems Control Politics?

pariahdecss asks: "I have just been hired as the webmaster for local college. The website for which I am responsible is hosted 'in-house' and controlled by the college. The server box does not have any other production systems on it besides my website. The website that I have inherited is driven by an amalgam of Embedded Perl and PostgreSQL. Now to the politics...the UNIX Administrator does not want to give me root access to this box. What have others done when faced with this type of systems politics? Is it even possible to function as a full scale webmaster without root access to the box you serve from?"

Webmaster needs root acces?

[at2000]

I don't think anyone would agree with you.

Which of Perl and Postgresql needs root? If webmasters need root access, then who else don't need?

sudo

[xmas2003]

sudo [www.sudo.ws] is a great tool to control and log root access - if the UNIX Admins aren't using this already, they should be.

So document exactly what you REALLY need sudo access for, and *if* there is a business case justification, then they should be able to grant this on a per command basis. There should be no reason for a webmaster to "need" the root password.

SUDO

[missing000]

I'd just ask for sudo [courtesan.com] access to the resources I needed. Also, you never said why he denied access. Does the system have trust relationships with other systems he want's you out of?

That would be my position...

[Anonymous Coward]

See it from his point of view, most people are morons. I would never give root to someone who could well start running all kinds of crap, it's me that gets it in the ass when some dolt starts 'sharing' copyright material.

Get to know the guy, there's a whole load of politics that is required in a work enviroment and can be discarded if you trust people not to shaft you. It cuts both ways but you will get your root if you're not a liability and it makes his job easier.

You've mentioned nothing of your skill set ...

[dougmc]

Now to the politics...the UNIX Administrator does not want to give me root access to this box.

Well, who's going to have to fix the box if you break it? The UNIX Administrator, probably.

You've not mentioned anything of your skills or previous experience. `Webmaster' could mean that you're a skilled systems administrator and/or programmer yourself ... or it could mean that you spent 15 minutes playing with Frontpage and Photoshop. Or anything in between.

What have others done when faced with this type of systems politics?

It's a university, so things may be different, but in the business sector, one makes a business case for needing root access, and puts that, plus the pros and cons into a presentation and presents that to management and the systems administrator. If you have the needed skills, and can convince people that having root access would make for a better web site, the sysadmin may be happy to let you have access to your box (because it may mean less work for him.) At least in the business world, politics definately exist, but a good business case can often cut through it like a knife through butter. (It's unfortunate when skilled sysadmins and programmers have to spend their time making Powerpoint presentations, but it's often how you deal with the suits.)

But if you're some `loose cannon' who doesn't know anything about *nix system administration beyond what you've read in some book, then root access is a disaster waiting to happen.

(As I said, I don't know which group you fit into.)

Is it even possible to function as a full scale webmaster without root access to the box you serve from?

It sounds like you've already answered your own question, and want us to come up with the same answer. `full scale webmaster?' In any event, my answer is `yes', which is probably not the answer you want to hear.

Not having root access is a blessing in disguise too. If something gets really messed up and root access is needed to fix it, you have the benefit of 1) not being blamed for it, because you couldn't have done it, and 2) not having to fix it.

One piece of advice -- what ever happens, don't try to `crack' root access. Getting caught, even if you think it helps you do your job, is likely to end in your being fired, and could even find you being arrested. (Yes, it has happened.) If you're a student, you could even be expelled. Not worth the risk.

Have a QA/Test environment

[t482]

Get a decent QA environment which is similar to production. Give the person an implementation plan for moving it to the other box. If it is a small environment in terms of people (which sounds like it is) and you want to put in many code changes - ensure they are scheduled for Friday or Saturday nights - no point in allowing him to still have a social life. In my experience in smaller environments eventually the sysadmin will capitulate and say - "OK - you do it yourself".

In larger systems (eg banks) typically this is the way it works. Generally you also need sign off from the sys admins and each change goes through a change committee where they validate the change. Another group often audits the code to ensure there will be no bad impact and the code is ok (no security concerns).

I've been on the sysadmin side

[blargh-dot-com]

At a largish-university. There would be (and was) no way a webmaster would have root access to any boxen I controlled. For a number of reasons:

a) You don't need it. Making sure apache is up and running and patched is my job, and I probably do it to 50 boxes at once and have nice automated scripts.

b) Every single webmaster I met (until I left a few months) ago swore they needed root access to install some apache module or other. No, you don't. You ask the sysadmin and, most times, if he can do it without a huge amount of effort (pointing him to the exact URL of the module's home page, and even better, pre-compiled packages for your OS, would tend to improve his/her mood) then I will, after carefully evaluating it, its security, its size, etc.

c) Politics sucks, and the poor sysadmin generally has to fight tooth and nail for every little bit he/she can get. Going the political route and over your sysadmin's head is a very good way whatever box you end up controlling has a number of... strange issues. Not saying I did this, but I know a LOT of sysadmins who have. A LOT. A lot of people you normally wouldn't expect. Especially in a university or state-run organization, politics and political image counts for a lot, and if you use politics to override your sysadmin, they're going to be very bitter about it. Not a good idea at all.

d) Working with the sysadmin, if you can provide a DAMN good case, and actually show you know what you're doing, what will usually happen is the sysadmin will hand over root and wash his or her hands of the matter. Box gets owned? Your problem. Box goes down? Your problem. Operating system barfs? Your problem. Too many people having root is a terminally bad idea, and most sysadmins will avoid it like the plague.

e) If all you need is the ability to restart/reload apache, there are a number of other ways to accomplish that, as has been mentioned. Personally, I would have gone the 80->8080 route, because I didn't hand out sudo either. :)

Re:Yes

[Geoffreyerffoeg]

It's entirely possible to function without root.

I webmaster the site for our state's math club chapter, which uses ASP/Access for online registration (not my choice - this is an inherited site, and our host is on NT). All I've got is FTP. I can function as well as I need. Exactly what do you need even non-root shell access for? All you should need to do is edit files and change stuff on the database...and the database should let you use a local client.

What exactly is a "full-scale webmaster" other than a system administrator also?

Re:Based on your question

[MerlynEmrys67]

And even restarting apache on port 80 doesn't "Require" root - it just requires root privs for a single operation that can be isolated and controlled.

Root access should almost never be used unless actively administering the machine. Other than that, control should not be used - or issolated to things that certain people can be proxied for (ie. restarting apache)

Having said that - I am not all to certain why you would need to restart apache either.

Now, lets get down to what you might need.
A change management system that will allow you to move your test environment to a production environment

Other than those things - what else do you need on the production machine ?

Re:Yes

[rtaylor]

Albeit to a limited extent. You have to ask your admin to install / upgrade software for you, but

Heck, It's PostgreSQL, Perl and Apache. None of those needs to run as root, be owned by root, etc.

Just get a few gigs of diskspace in your home directory and go from there. Since this person can be trusted as root, surely they know how to compile software to places other than /usr/local (or default path of choice).

Be patient

[Darth_Burrito]

I have just been hired as the webmaster for local college.

This is your problem right here. If your predecessor did not have root access, you are going to have to prove to the admin that he should give it to you. Even if your predecessor did have root access, the sys admin may not be inclined to hand out root privileges to anyone with the title of webmaster.

Just to give you some background, I work in a small college department, and I've got about three times as much access now as when I started 18 months ago (sometimes I wish I didn't). The secret is to be patient, work with the admins, and prove yourself over time. Also, help them out whenever you can (but only if you can). It's not in your interests to get in a power struggle with them.

Consider pursuing projects that will benefit everyone in the value chain. For example, a lot of people use write only memory for their web logs. Perhaps you could implement some kind of log analysis tool, that could:
1) Help the admin/you monitor attacks and load.
2) Help you/content providers monitor page usage and user demographics.

Maybe you could use something like AWStats [sourceforge.net]. A project like this will give you an opportunity to work closely with the admin, demonstrating both your expertise, and your ability to add value.

Shocked nobody's said this already, but...

[Shag]

You don't need root (which they have said), because root can simply create a "web" or "www" group on the system (in the highly unlikely event one doesn't already exist), make you a member of the group, and give the group full privs on the stuff the webmaster needs privs on, e.g.:

• /etc/httpd/ and things under it, so you can tweak httpd.conf
  
• /var/log/httpd/ and things under it, so you can munge logs
  
• wherever Postgres lives
  
• whatever the web docroot is.
  

That's the course I'd probably take, in your root's shoes.

My 2 cents

[eyeball]

There seems to be a lot of 'you don't need root access' replies. I'd go so far as to say 'avoid root access if you can,' especially in a politically volatile environment. You'll get less blame when something goes wrong, and you can relax while they take care of the system patching, managing its network connectivity, disk space, etc.

Working on a non-root server feels weird at first if you've run your own box for a long time, but other than the inability to listen on ports 1024 and a few minor resource restrictions, you should be better off. Coexisting on someone else's server can even make you very conscientious and more likely to keep a tidy server.

Also, if you have to ask the administrator to upload files every time you change them, and you find yourself making many changes, ask yourself if you are doing too many updates because you don't have a proper test/dev/stage environment (if not, shame on you!). If not, maybe a compromise could be made to script a bulk site transfer from stage to production that you could control.

Chroot Jails

[Bios_Hakr]

Have the admin look into using 'chroot.' Basicly, he can build a virtual computer inside the actual computer...or something like that. Anyway, I know that my hosting company has 10 people per server and everyone has root in their own virtual computer.

Anyway, the point is if you screw something up, his server remains mostly unaffected.

Re:My 2 cents

[BJH]

Good answer.

I work a lot on boxes for which I do not have root access (financial systems), and it's absolutely unnecessary if your admin is competent.

Add a new user? Ask the admin.
Restart a system service? Ask the admin.
Implement regular backups? Ask the admin.

Remember, it's his JOB. He's paid to do that sort of thing; you aren't. You're paid to get your application working and keep it working.

(Actually, you can do an awful lot even without root access. I've built a fairly comfortable environment on a bare Solaris box, including gcc, emacs, vim, Tcl/Tk, CVS, blackbox (because otherwise I would have been stuck with Exceed's godawful window handling), and many other utilities, and root was not required for any of that. There's a reason such things as PATH and LD_LIBRARY_PATH exist.)

Re:Webmaster needs root acces?

[vadim_t]

This doesn't work (just checked), but since you can see /etc/shadow you can now run John the Ripper against it. And it's *very* effective. Unless the system has really good passwords it'll eventually get some of them, and from there you can potentially wreak havoc.

john's pretty fast, you can be almost certain to get something in an hour from a shadow file with many accounts, or at least something in a day.

There are other possibilities, like grepping log files and root's .bash_history for passwords typed in the wrong place. For example, if the admin types the password instead of the username you'd get it in the logs in clear text.

possible aid...

[Rewbob]

To perhaps ease your pain some, check out my stash [freshmeat.net] project. It was designed with stubborn sysadmins in mind.... It eases the process of installing stuff into your home directory.