[NCLUG] Re: Who uses SUDO on production machines?

[Bob Proulx]

Sean Reifschneider wrote:
> Of course, that goes without saying...  That's why I didn't say it.  :-)
> Any time you give someone enhanced access, they could use that both now and
> in the future.
> 
> Of course, you could also be logging the sudo commands to a remote machine
> which is secured against the untrusted trusted users, and in that way you
> should be able to detect things that would be the start of a compromise.
> You'd need to run some things in restricted mode so users can't jump out of
> vim to run unlogged commands, or at least a shell that acts as a wrapper
> and logs similarly.

When I see this type of environment I know the company does not trust
the employees.  This is a two-way street.  When I am trusted then I
work extra hard to be trustworthy.  But if big brother is always
watching and monitoring then I am not motivated.  If I have to justify
my actions at that level then they can fix things and generally do
the work themselves and they don't need me in that case.

One of the guys I used to work with was a hacker sort and would poke
at the security of my machines in a friendly sort of way.  I want to
stress that it was friendly and I know that he would never have caused
me more than practical joke trouble.  When we started working together
I immediately gave him root access.  He said, "Darn!  That takes all
of the fun out it." and he never abused the privilege.  I worked with
him and trusted him not to screw me or anyone else over and in return
he was one of the people I could count on to do a good job.  It was
then his system as much as it was mine and he became motivated to
become a protector of it.

Bob