On Nov 19, 2007, at 9:26 PM, Richard Wiggins wrote:
> Hey Matt,
> Thanks for responding, and thanks for your thoughts.
> Can you amplify a bit? What's the standard practice in your world?
The experience I've usually had is based on a pretty simple scenario:
A group of system administrators have access to root through sudo (all
commands are available, and logged, though, this is circumventable if
desired, in general because we have allowed su-ing to other users, at
which point logs of what are run are not kept...one too many layers of
indirection).
We have some developers (which includes some of the sysadmins) who
need access to resources X,Y and Z. I generally grant access to those
resources through a combination of unix group assignments and sudo.
While it is possible to limit which commands are run with sudo, in
practice, we rarely do.
In a previous assignment at MSU, we also supported *many* user
accounts on a variety of machines. We never provided escalated
privilege to those users, though we did manage access to resources
through the traditional use of unix groups and filesystem permissions.
As a historical note, when I first got here, we just use multiple UID
zero accounts, so each sysadmin had their own super-user account.
This has lots of downside, imo, with the upside of being extremely
easy to implement and providing complete freedom to the sysadmins.
>
> When you say:
>> ... "The ability to restrict what commands a user may run on a per-
>> host basis."
>
> I get the idea, but is this what people (sysadmins) actually do?
> To me, it seems that user profiles are the way to go, not
> customizing permissions for each person, per-host. If you have n
> persons times m hosts, it gets complicated, doesn't it?
It's complicated if you really try to cover a gradient of user-types.
If you only have a couple of classes, you stick them in a particular
group, and assign some rights to them via sudo (via those groups).
The sudo configuration leverages the notion of unix groups, so from
the sudoers configuration example:
%users localhost=/sbin/shutdown -h now
would let anyone in the group 'users' run shutdown on the box they're
logged into (all machines are supposed to have a localhost /etc/hosts
entry, which makes distributing policy machine to machine slightly
easier).
There are a *ton* of configuration options (and some nice examples) in
the man page:
zoidberg% man sudoers|wc -l
1082
(that's a lot of doc, imo)
> Matt, I'm asking, trying to learn how real sysadmins in the real
> world actually manage this. It seems like an important topic.
Well, I think the more types of users you support the harder it is,
but the tools exist and are manageable.
We are looking at migrating exclusively to RBAC, but it is a
moderately steep learning/implementation curve when I'm running such a
small team.
./mk
--
Matt Kolb <[log in to unmask]>
Academic Computing & Network Services
Michigan State University
|
