UNIX Systems Control Politics?

pariahdecss asks: "I have just been hired as the webmaster for local college. The website for which I am responsible is hosted 'in-house' and controlled by the college. The server box does not have any other production systems on it besides my website. The website that I have inherited is driven by an amalgam of Embedded Perl and PostgreSQL. Now to the politics...the UNIX Administrator does not want to give me root access to this box. What have others done when faced with this type of systems politics? Is it even possible to function as a full scale webmaster without root access to the box you serve from?"

Yes

[metalhed77]

It's entirely possible to function without root. Albeit to a limited extent. You have to ask your admin to install / upgrade software for you, but do it enough and maybe he'll get sick of it and give you root. Next?

No

[cookiepus]

You're the one trying to do politics. Your domain as webmaster is html files, scripts, etc. You don't need to have root pass to upload files. Everyone who uses someone else's system for hosting is a webmaster w/o root access to the server. The two things are unrelated.

As your sysop to do things whenever you don't have access to do something (set up a db?) If this happens often enough he'll reconsider the policy, but most likely you will be just fine w. the privileges you have.

You just need 2 environments

[Gothmolly]

Test, and Production. Build a linux box, give yourself root, do all your play work there. When its time to make real changes, in 1 shot, ask the SA to do whatever you need (upgrade PHP to version foo, edit config file bar, etc). They're more likely to do it if you don't nickel and dime them every day for little stuff. Plus, you have the added bonus of not fscking up your main, real, this-is-your-paycheck website doing test work.

Not Everything Requires Root

[thenerdgod]

You should only need root-style access to do one thing, and that's restart apache. And if your sysadmin uses, say, iptables/ipfilter, he could just redirect port 80 to some port above 1024 and then you wouldn't even need root at all! Quit whining!

"But Wait!" you say, "What about software upgrades? New Perl modules?" --Sorry, bub, installing and upgrading software is exactly what the sysadmin is there for. These are her systems. Not yours.

It's likely your sysadmin is smarter than you, and has been doing this longer. And while I'm sure you have "teh lunix" at home and run X as root "all the time", that doesn't make you worthy of having root on the universitie's box. Quite frankly, having been through this from the sysadmin's side, No, you don't need root, and it's YOU who's playing the political game, not them. It's their box, their system, their software. The limousine company owns the cadillac, you just drive it around and make sure it has gas. Thank you. Move along!

Your answer

[Safety Cap]

"~ the UNIX Administrator does not want to give me root access ~. ~ Is it even possible to function as a full scale webmaster without root access to the box ~?"

This article advocates a

( ) technical ( ) legislative ( ) market-based (x) vigilante

approach to website administration. Your idea will not work. Here is why it
won't work. (One or more of the following may apply to your particular idea,
and it may have other flaws which used to vary from organization to
organization before a poorly thought-out, ineffective approach is suggested.)

(x) Sudo will allow you to do what you need
( ) Installing extra software on a machine without the Admin's knowledge
is bad
(x) You don't know what you're doing
( ) Hosting w4r3z and hacks on company-owned equipment is bad
( ) You are not mature enough to manage a box in a production environment
( ) Your users will not put up with it
( ) SCO will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from the Admin
(x) Requires immediate total cooperation from everybody at once
(x) Your employers cannot afford to lose services or alienate students
( ) Students don't care about your lack of web admin skills
(x) Anyone could anonymously destroy your entire site due to your
inept administration skills

Specifically, your plan fails to account for

( ) University rules expressly prohibiting it
(x) Lack of centrally controlling authority for servers
( ) 5kr!pt k!dd!35 installing open relays
( ) Backup and restore
( ) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new configurations
( ) Students' reluctance to use an obviously hacked site
( ) Huge existing software investment current setup
( ) Susceptibility of poorly configured machines to attack
(x) Your willingness to install OS patches in a timely manner
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Extreme fun of web h4xx0r5
( ) Joe jobs and/or identity theft
( ) Technically illiterate school administrators
(x) Extreme stupidity on the part of people who think they need root
in order to do their job
( ) Bandwidth costs that will increase once the b0xx3n are pwned
( ) IE

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical
(x) Any scheme based on 'su' is unacceptable
( ) Lack of knowledge upon how to manage a web server should not be the
subject of politics
( ) .htaccess sucks
( ) mysql sucks
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of campus networks
( ) Countermeasures must work if phased in gradually
( ) Surfing the web should be easy
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time root access is cumbersome
( ) I don't want the campus regents looking over my shoulder
( ) Web admins who have been coasting along with barely any knowledge
of what they're doing should be killed in a way is slow and painful

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.

You don't need it

[dimss]

You can run Apache, perl and PostgeSQL without being root. Ask your admin for two things: port 80 mapping to 8080 and calling your startup.sh after boot (I do so in rc.local). And you're there.

You don't need to be root.

[DarkDust]

Seriously, the only thing I could imagine where you'd need root access is restarting the webserver if it's serving from port 80 directly. As others have pointed out, you could have the sysop do portforwarding from port 80 to 8080 and then be able to run Apache on port 8080 as normal user. Or you could have him give you sudo access to the Apache rc script.

Other than that I fail to see where any root access would be needed. You'll write and edit HTML and script files and you'll do some database stuff. There's absolutely no need to be root here.

I think a sysop who doesn't give you root right away is a good sysop. UNIX gives you all the tools and concepts to let you do your work without ever being root. But you have to get used to it. In the beginning you'll have to bug the sysop a lot but within a short timespan you'll finally get to a point where you won't need him anymore as you'll then be able to do your work... without being root :-)

Re:What kind of Webmaster?

[M1FCJ]

Nope, still not necessary. Apache/MySQL/perl/PHP can be compiled and installed anywhere you like and doesn't have to be owned by the root. All of these (if applicable) can use unpriviledged ports and the only thing the root has to do is use iptables/ipfwd rules to make sure it is accessible as if they are running on priviledged ports. This is applicable especially if you are old-school, you should know how to change mysql's default listening port. Any odd idiot might not know how to do this but you probably would.

As for the contents and access, they are all files on a file system. Given the right access, you don't need more.

Even more importantly, as a secure site policy, webadmins should never have root accesses, in case the webadmin's account gets hacked into, they should not even be able to see inside the system. In some scenarios a chroot jail might be the best solution. Still no need for root access. That'd be just stupidity.

Fscking Unter-grads

[Anonymous Coward]

Every year I have to hear about this bullshit.

Listen kid, we're going to tell you this now, don't forget this lesson. You are not special. You are not the brightest little ray of knowledge to ever grace the halls of your university. In fact, the odds are very much that you are aren't even good enough to be the layer of slime the illumnai pond scum will float on. There are 10,000 other eager little faces just like you. And the odds are you aren't anywhere near the top end. If you were, the faculty would be putting you to better use than being the webmaster. Any idiot can be the webmaster, quite successfully, however, giving that idiot root would endanger the system the sysadmin is charged to maintain.

To summarize:
1) You are not special
2) You are should simply be happy you beat out those not smart enough to be webwanker
3) You should put your little ego at the door and realize the sysadmin is only doing his job, if he were stupid enough to hand you root, he should be fired.
4) Webwanking is not a technical task.
5) Webwankers *SHOULD* *NEVER* *EVER* have root. It *ALWAYS* ends badly, at my university we have a policy that says just that. And many defacements have been avoided because of it
6) Grow up! The sysadmin is getting sick of hearing this bullshit year after fucking year!

Simple Criteria

[qux.net]

If you break the server by installing/misconfiguring/changing configs, who will fix it?
If the server goes down in the middle of the night/weekend due to configuration who will have to fix it?

If the first is not you, you don't get root.
If you don't at least share responsibility in the second (eitherwhoever's on duty or gets to it first, or it stays down once it's determined it's your problem until you fix it), you don't get root.

Obstructive Cow Orkers

[mkcmkc]

To answer your question, it all depends. If your admin is good, not a misanthrope, and is basically interested in seeing the website succeed, you don't really need root. If not, you're probably going to fail anyway, as, even if you have the root password, he has more power to make you fail than you have to succeed.

Almost every job I've ever had has featured at least one technically incompetent, obstructive co-worker. You can try to point this out to the higher ups, but your main options are to deal with the person via diplomacy or to find a new job.

I once suffered, without root, under an admin who gave everyone the same home directory path, where the actual directory on each machine was owned by the user on whose desk the machine sat. So, if I logged into joe's machine, I'd be running his .login/etc rather than mine. (The admin claimed that this scheme simplified backups.) There were lots of other problems of a similar scale with this project, and no one with both technical skill and power to correct them. In a case like this, all you can really do is leave.

If you're new, I'd give it at least six months. You may not even have figured out yet who the true problem people are on your job. Maybe this admin will turn out to be your best friend or mentor (or vice versa).

Mike

Re:Your answer

[Christopheles]

And if it gets rooted, whose fault is it? Seems like that alone is reason enough to just get the sysadmin to do everything.

Re:Ego

[Anonymous Coward]

It's not a matter of ego at all. I don't give out root to the boxes I administer, although I've been asked many times. Why? Because when something goes wrong, I'm the one that's going to take it in the ass, not them. Blaming the other guy won't be an acceptable excuse.

The old excuse of installing software is also bullshit. You can install almost any program in your local directory.

Re:Fscking Unter-grads

[Farmer Jimbo]

1.) If I had mod points I wouldn't be posting this reply.

2.) I had forgotten how truly evil it can be to work with 20 year old's who think they know everything.

3.) I remeber being 20 and thinking the world was so lucky to have me. Thank god someone older and wiser stepped on me hard and made me realize I was being a snot.

Re:Yes

[yasth]

A lot of people like to use special user accounts for apache/db daemons, esp. in production environments. (Though there is some debate about this).

Oh well doesn't matter anyways. The proper way to handle such things is to make requests on paper, and with deadlines, you will either get what you need, or you will get root. (Truthfully if someones wants to maintain a server for me, handle backups, and manage security updates, well that isn't something I would complain about unless they didn't actually do it)

Re:Mod parent up

[TheLink]

Apparently pariahdecss is in charge of/responsible for the webserver and it's the sole app there.

If the UPS/power supply/something makes funny noises or whatever, someone might want to go shut it down gracefully.

Might as well allow pariahdecss to do it.

Posting too vague

[georgewilliamherbert]

As has been pointed out more rudely by dozens of earlier responders, nothing in the initial question argues for needing root.

The job role of Webmaster varies widely, from people whose responsibility it is to make sure that the links work and just about only that, to people who own the applications and content management, to people who build the server from bottom up including OS install and web apps and programming and HTML code and UI specification.

The latter person owns the box. Most of the people short of that level don't need root. If you're maintaining the applications environment and need to install new versions of Apache, PostgresSQL, Tomcat or whatever, then you and the sysadmin need to come to an agreement on how that gets done.

If you need to restart Apache, that's what Sudo is for.

In any case, your job, rather than escalating the situation, is understanding and communicating the situation. If you need root, you need to understand and articulate why you need root. If you can't justify why you need it, you shouldn't be trying to go over his or her head. If you can make the case clearly and they still won't let you have it, then you can escalate.

But understand first and explain second.

Re:Do you have any experience as a real webmaster?

[janic]

That actually brings up a really good point. What exactly is supposed to be doing on the site?

If the O.P. is just supposed to be managing content, then web pages, images, and database content are his domain. Period. Live with it, or ask the sysadmin to set up a test/staging server that he has access to, and maybe root on, then all content changes get rsynced accross.

If he is supposed to be managing the app servers (ie: mod_perl code, or something that would require apache to get the occasion kick in the crotch) then he does need a bit more access. But that can still be done with group memberships, sudo, and a bit of work on the SA's part to write some scripts to do some of the dirty work.

My advice, would be for him to just _ask_ his SA stright out, "I need to do X part of my job, which means I need access to Y* resource. In the past I have done it like Z, but how would you like me to do it?" (Where "Y" != "a root shell".)

BTW, I AM a sysadmin. Devlopers who whine at me continually that they need root access get told to go think about what they really need, then come back. If you approach your SA with a plan for what you want to do, and how you want it done, then work _with_ him to make it happen, (it _is_ a two way steet) you will find that you will have less crap work to do "managing" a system, and he will have less crap work to do cleaning up after a developer. (less crap == happy sysadmin == better work environment)

Cheers!
John

Developers should have root.... on dev boxes.

[agristin]

No developer should have root on PRODUCTION boxes.

The process should be:

development happens on development box (workstation, server whatever). Developers may have root on this- if they do, they manage it, OS hardware and all. Developers will use sudo if anyone else is responsible for the server hardware and OS. This should never be exposed to untrusted networks.

QA stage: if you are poor or small, do this against the development box. If not this should be a seperate QA box. This should be managed by QA team. If the sysadmin is the same, the sysadmin should hold root, qa team may sudo, developers should not be accessing this box directly (except in emergency, then they will be sheperded by QA). This should also not be exposed to untrusted networks unless you have and excellent (and obeyed) security policy and review.

Production: only the sysadmin has root, noone else should have access. The sysadmin publishes to production- using the release that QA approves. Highest security policy applies here.

If your QA and dev team are the same, collapse development and QA- but trust me keep production seperate.

-A

If you have to ask, you do NOT need root!

[Anonymous Coward]

"Is it even possible to function as a full scale webmaster without root access to the box you serve from?"

If you have to ask this question, then you do NOT need root access.

Managing content only requires read/write privilidges to the content, which can easily be done by creating a login account for you that has such access. You do not need any other access. If you want something installed that does require root (should be very rare occurance), then email the system administrator.

Re:Webmaster needs root acces?

[rthille]

Did you try it?
It won't work, because in the second command, '/bin/cat' isn't opening /etc/password, it's your shell, running with your permissions.