Re: [Veritas-bu] Non-root administration
2008-07-02 13:48:24
I’m afraid I’m going to have to
respectfully disagree with you, there, Ed. I trust a new backup admin in that
I trust him not to circumvent the security that I have set up. (OK, Trust but
verify.) That’s not the same thing as saying “Well, he’s the
backup guy, so he can easily get root if he’s a black hat, so we might as
well give him root.”
The backup admin is often a junior person,
and handing them the complete keys to the kingdom just because it makes his/her
job easier isn’t something I’m interested in doing.
So what’s the official non-root
admin answer for 6.5? I didn’t realize the non-root-admin script was
gone.
________________________________________________________
Curtis
Preston | VP Data Protection
GlassHouse Technologies, Inc.
T: +1 760 710 2004 | C: +1 760 419 5838 | F: +1 760 710 2009
cpreston AT glasshouse DOT com | www.glasshouse.com
Infrastructure :: Optimized
From:
veritas-bu-bounces AT mailman.eng.auburn DOT edu
[mailto:veritas-bu-bounces AT mailman.eng.auburn DOT edu] On Behalf Of Ed Wilts
Sent: Wednesday, July 02, 2008
6:21 AM
To: Esson, Paul
Cc: veritas-bu AT mailman.eng.auburn DOT edu
Subject: Re: [Veritas-bu] Non-root
administration
On Wed, Jul 2, 2008 at 8:06 AM, Esson, Paul <Paul.Esson AT redstor DOT com> wrote:
Can
I ask the group with UNIX Master Servers how they administer NetBackup?
We have just moved up to 6.5 on Solaris 10 from 5.x and discovered the
nonroot_admin script is gone. I could re-apply the equivalent manually
but this method obviously has limitations.
I
need to be able to run various commands use these in scripts and edit certain
files on the Master and the UNIX admin won't give me root access. Will
sudo help here?
We use sudo extensively here but then we use it to get root. Our DBAs use
sudo to be able to kick off database restores from our master server.
A UNIX admin that will let you backup and restore his system but won't give you
root access is being very shortsighted. If he thinks he's added any level
of security at all, he's wrong. You can simply "restore" your
own copy of the password file, sudoers, etc. If you are able to do
backups and restores, you effectively have total control of those systems.
We have a good working relationship with our system admins - we manage the
application from start to finish but they manage the OS, including
patches. We always communicate what we're doing and why. Once you
build that level of trust, you should be able to get the access you need to do
your job completely.
If the admins are going to be pains, however, call them frequently in the
middle of the night. Every time a backup job fails, wake them up and ask
them to look at a log or config file. They'll get the hint... :-)
I believe I've said it here before - if you don't trust your backup administrator,
find yourself another one. The same holds true for your system
administrators and everybody who has physical access to your systems. And
your receptionists :-)
.../Ed
--
Ed Wilts, Mounds View, MN, USA
RHCE, BCFP, BCSD, SCSP, SCSE
mailto:ewilts AT ewilts DOT org
If I've helped you, please make a donation to my favorite charity at http://firstgiving.com/edwilts
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
|
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
|
|
|