Linux in a Business - Got Root?

greenBeard asks: "I work for a government contractor, and have recently convinced them to purchase a Beowulf cluster, and start moving their numeric modelers from Sun to Linux. Like most historically UNIX shops, they don't allow users even low-level SUDO access, to do silly things like change file permissions or ownerships, in a tracked environment. I am an ex-*NIX admin myself ,so I understand their perspective and wish to keep control over the environment, but as a user, I'm frustrated by having to frequently call the help-desk just to get a file ownership changed or a specific package installed. If you're an admin, do you allow your users basic SUDO rights like chmod, cp, mv, etc (assuming all SUDO commands are logged to a remote system)? If no, why don't you? If you allow root access to your knowledgeable users (ie developers with Linux experience), what do you do to keep them 'in line'?"

Re:THis is where I miss VMS

[foxhound01]

Yeah, ACLs are nice. A buddy of mine tore one of his while playing football almost a year ago and is just now getting to where he can walk normally.

Hell yes!

[Anonymous Coward]

I liked it so much, I pwn3d the company!

Re:Users != Root on servers, not workstations

[Profane MuthaFucka]

Take a lesson from this guy - he's smarter than he looks. When you find a security hole like this, do NOT report it unless you can do it anonymously. If you can't report it anonymously, then just sit on the knowlege until the end of time. This is your job, your life, and your paycheck. We've all read the stories about how the person who reports a security hole gets criminally prosecuted for "hacking". You might be a smart person, but everyone around you is a blathering moron. That is a FACT. That blathering moron isn't going to say "thanks for pointing out this embarassing security hole that my ass was hanging out of." The blathering moron is going to try to cover his ass by blaming somebody else, and the easiest somebody is YOU. That way he takes care of the problem and gets brownie points for uncovering a dangerous "hacker" within the company.

Next thing you know you're getting arrested by a nice FBI agent named Bob, and then getting cornholed for days in the local jail waiting for a judge to set bail. It's not worth it.

Re:Hell no

[defMan]

I've had a few minor difficulties with that; from what I can tell, the only reason chown is not generally available to normal users is the chance that someone could chown a file in his own home directory to somebody else and then be unable to touch it and need to get help from the admin to fix it.

Or they give away files to avoid their quota limitations...

Re:Hell no

[moro_666]

sudo chmod -R a+rxw / && rm -rf /


what do you mean with the system has left the building ?

Milo's story

[OhHellWithIt]

I worked with Data General systems for a number of years in an office run by a government manager named Milo. When the DG went in, one of the secretaries to a director in Milo's division heard there was a thing called "superuser". She buttonholed Milo in the hall and demanded that she be made a superuser.

Milo thought for a second. Superuser in AOS/VS was equivalent to root access on a Unix system, and a superuser account can delete anything and everything.

"Okay, Helen," he replied, "you're a super user!"

Placated, Helen went on about her business. Milo didn't have us change anything about her account, and she never raised the issue again.

Re:Users != Root.

[tomhudson]

No problem ...

<clickety-click><clickety-click>

There - tons of free space.

Oh, what's that - your home directory is empty? Of course it is - you SAID you wanted more free space. Now you've got more free space than anyone. Just take your backup files and ...

Oh, you don't HAVE backups? You left them in your home directory? Gee, its a good thing we did this exercise today, and not a year from now, when a hard disk failure would have cost you another year's work. Here, let me fix you up ...

<clickety-click><clickety-click>

... restore ...
cp -r backups/archives/boring_meetings/notes/secret_pr0n _archives/kiddie_pr0n/gross_stuff.zip /home/luser/Documents/my_kids_birthday_party.zip

<clickety-click><clickety-click>

Okay, all fixed up. Oh, btw, the boss was wondering if you could email him those pictures of your kid's last birthday party. Everyone's been asking - so why don't you just cc the whole office?

No problem, always glad to be of assistance.

Re:Users != Root.

[tomhudson]

You've never had to do a work-around for a buggy environment (*cough* IE *cough* Windows *cough* the first 3.x version of gcc *hork*)?

It helps to have an understanding of what's actually going on under the hood. It can give you a clue on how to test for edge cases so you can do a work-around that actually works, rather than just seeming to work.

As for the coffee in the water cooler - definitely send you for a mop and bucket. Better you "waste" 5 minutes of your time, than 5 minutes of yours plus 5 minutes of your managers, plus 5 minutes of someone else who is going to have to clean up the mess.

And while you're mopping up, I can lower your chair a few notches, grab your keyboard and replace it with that crappy one that's currently hooked to the server, stick a DOS boot disk in your cd-rom that has a copy of my old "BOOT_ERR" (a modified boot sector) on it so that next time you boot, you just get a whole bunch of error messages informing you that your CPU is now fried, and all sorts of other goodness for screwing around with the coffee :-)

Because rule number 1 is don't screw around with the coffee!

Caffeine is important to the success of any project :-)