On Nov 19, 2007, at 9:26 PM, Richard Wiggins wrote: > Hey Matt, > Thanks for responding, and thanks for your thoughts. > Can you amplify a bit? What's the standard practice in your world? The experience I've usually had is based on a pretty simple scenario: A group of system administrators have access to root through sudo (all commands are available, and logged, though, this is circumventable if desired, in general because we have allowed su-ing to other users, at which point logs of what are run are not kept...one too many layers of indirection). We have some developers (which includes some of the sysadmins) who need access to resources X,Y and Z. I generally grant access to those resources through a combination of unix group assignments and sudo. While it is possible to limit which commands are run with sudo, in practice, we rarely do. In a previous assignment at MSU, we also supported *many* user accounts on a variety of machines. We never provided escalated privilege to those users, though we did manage access to resources through the traditional use of unix groups and filesystem permissions. As a historical note, when I first got here, we just use multiple UID zero accounts, so each sysadmin had their own super-user account. This has lots of downside, imo, with the upside of being extremely easy to implement and providing complete freedom to the sysadmins. > > When you say: >> ... "The ability to restrict what commands a user may run on a per- >> host basis." > > I get the idea, but is this what people (sysadmins) actually do? > To me, it seems that user profiles are the way to go, not > customizing permissions for each person, per-host. If you have n > persons times m hosts, it gets complicated, doesn't it? It's complicated if you really try to cover a gradient of user-types. If you only have a couple of classes, you stick them in a particular group, and assign some rights to them via sudo (via those groups). The sudo configuration leverages the notion of unix groups, so from the sudoers configuration example: %users localhost=/sbin/shutdown -h now would let anyone in the group 'users' run shutdown on the box they're logged into (all machines are supposed to have a localhost /etc/hosts entry, which makes distributing policy machine to machine slightly easier). There are a *ton* of configuration options (and some nice examples) in the man page: zoidberg% man sudoers|wc -l 1082 (that's a lot of doc, imo) > Matt, I'm asking, trying to learn how real sysadmins in the real > world actually manage this. It seems like an important topic. Well, I think the more types of users you support the harder it is, but the tools exist and are manageable. We are looking at migrating exclusively to RBAC, but it is a moderately steep learning/implementation curve when I'm running such a small team. ./mk -- Matt Kolb <[log in to unmask]> Academic Computing & Network Services Michigan State University