LISTSERV 16.0 - MSUNAG Archives

On Nov 19, 2007, at 9:26 PM, Richard Wiggins wrote:

> Hey Matt,
> Thanks for responding, and thanks for your thoughts.
> Can you amplify a bit?  What's the standard practice in your world?

The experience I've usually had is based on a pretty simple scenario:

A group of system administrators have access to root through sudo (all  
commands are available, and logged, though, this is circumventable if  
desired, in general because we have allowed su-ing to other users, at  
which point logs of what are run are not kept...one too many layers of  
indirection).

We have some developers (which includes some of the sysadmins) who  
need access to resources X,Y and Z.  I generally grant access to those  
resources through a combination of unix group assignments and sudo.   
While it is possible to limit which commands are run with sudo, in  
practice, we rarely do.

In a previous assignment at MSU, we also supported *many* user  
accounts on a variety of machines.  We never provided escalated  
privilege to those users, though we did manage access to resources  
through the traditional use of unix groups and filesystem permissions.

As a historical note, when I first got here, we just use multiple UID  
zero accounts, so each sysadmin had their own super-user account.   
This has lots of downside, imo, with the upside of being extremely  
easy to implement and providing complete freedom to the sysadmins.

>
> When you say:
>> ... "The ability to restrict what commands a user may run on a per-  
>> host basis."
>
> I get the idea, but is this what people (sysadmins) actually do?
> To me, it seems that user profiles are the way to go, not  
> customizing permissions for each person, per-host.  If you have n  
> persons times m hosts, it gets complicated, doesn't it?

It's complicated if you really try to cover a gradient of user-types.   
If you only have a couple of classes, you stick them in a particular  
group, and assign some rights to them via sudo (via those groups).   
The sudo configuration leverages the notion of unix groups, so from  
the sudoers configuration example:
%users  localhost=/sbin/shutdown -h now

would let anyone in the group 'users' run shutdown on the box they're  
logged into (all machines are supposed to have a localhost /etc/hosts  
entry, which makes distributing policy machine to machine slightly  
easier).

There are a *ton* of configuration options (and some nice examples) in  
the man page:
zoidberg% man sudoers|wc -l
     1082
(that's a lot of doc, imo)

> Matt, I'm asking, trying to learn how real sysadmins in the real  
> world actually manage this.  It seems like an important topic.

Well, I think the more types of users you support the harder it is,  
but the tools exist and are manageable.

We are looking at migrating exclusively to RBAC, but it is a  
moderately steep learning/implementation curve when I'm running such a  
small team.

./mk

-- 
Matt Kolb  <[log in to unmask]>
Academic Computing & Network Services
Michigan State University