sudo and /etc/sudoers

Smoot Carl-Mitchell smoot at tic.com
Tue Dec 30 05:40:42 UTC 2008


On Tue, 2008-12-30 at 14:19 +1000, Res wrote:
> On Mon, 29 Dec 2008, Smoot Carl-Mitchell wrote:
> 
> > password.  There are any number of ways to handle this situation.  You
> > can keep pertinent information in a notebook kept in a secure location.
> 
> great! lets write down the root passwords LOL *shakes head in amazement*

Don't be ridiculous.  You write them down and put sensitive passwords in
a secure location.  Suppose a disaster strikes and your key personnel
are unavailable?  Who handles getting people administrative access in
that situation?  If you do not have the keys available, you are screwed.
Disaster recovery plans anticipate this sort of situation.  Writing down
access codes and instructions and locking them up someplace ready to be
used in an emergency is simply prudent business practice.

What are you going to do for example if you have a server cluster with
99.999% availability requirement.  You are going to need the
administrative account passwords to keep the system running.  You are
not going to want to take it down and reset the root password by taking
the system down and rebooting.  You are going to want the password
available. 

I worked with a Disaster Recovery expert a few years back and provided
input into the recovery plan for Unix (Sun Solaris) servers running
Oracle database applications which included rebuilding all the servers
from scratch and all the instructions and account names and passwords
needed to recover all the production systems if all the system admins
were unavailable. It is not unusual to include sensitive password
information in such a document, so the systems can be recovered in a
timely manner by other personnel.

> > Your example also points out the weakness of distributing the root
> > password to the system admins.  If one leaves or gets fired, you have to
> 
> It may be an issue, but there are ways around that.

Sure there are ways around any situation, but why not take the simpler
path?

> I dunno, maybe you people just dont vet your stuff well enough, are 
> yankies allowed to have criminal history checks on employees?
> it seems maybe not...

Yes, we can do criminal history checks on employees. It is done all the
time for sensitive positions.
-- 
Smoot Carl-Mitchell
System/Network Architect
smoot at tic.com
+1 480 922 7313
cell: +1 602 421 9005




More information about the ubuntu-users mailing list