Thanks everyone for the overwhelming response, there were too many to list here.
The consensus (about 99% of the responses) said don't do it, and mentioned sudo.
The problem was our DBAs wanted abilities beyond sudo could provide (as I
understand it). They wanted the sweeping ability to install software not
directly related (like Apache or Java), the ability to su to users accounts,
tweak /etc/system, etc.
When I first started as Sys Admin here (two years ago), all a user had to do was
whine to their boss long enough, and it was mandated that they have the root
password. I've managed to wrestle this away from everyone but the DBAs by
showing that root access was not needed. Unfortunately, management dictated that
I compromise with the DBAs (in the name of good inter-team relations) and give
them the root password. I have demanded that they not install non-Oracle
software and not change any system configuration files. Now I just have to
watch, log, and monitor their use of root. Hopefully I can bring this up in the
future and show that their use of root is not necessary.
Thanks,
Thomas "Must Have Patience" Carter
MEMC Southwest
Original Message:
Gurus,
I am trying to tighten security somewhat, and am currently trying to stave off
an attack by the DBAs for the root password on all systems. Some of them claim
that knowing the root password is essential for their job while I maintain that
it is common for DBAs to not have root access. I would appreciate any input you
could share about your company's policies on knowledge of the root password.
If it matters at all, these are Sparc boxen (250s, 3500s, and a 4500) running
Solaris 2.6 with Oracle 8i.
Thanks in advance,
Thomas Carter
MEMC Southwest
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:06 CDT