03-25-2014 08:09 AM
hey guys, first post here.
As our internal fight over root privileges rages on, i'm looking for any thoughts/options you might have. My OS background is primarily windows.
My question is this: Is it possible to effectively deploy/maintain nnmi by identifying a list of specific commands to be run as root? Any new command would need to be added to this list before it would have permissions to run as root.
Has anyone tried this method? My preference would be to have a checkout system for the root password, but it doesn't look like that will happen. If you've had this difficulty in your organization, I would love to hear how you solved it.
03-25-2014 12:18 PM
It shouldn't be that hard.
You will need full root access to install & patch, but beyond that, how much CLI work do you actually need to do?
You'll want to be able to use commands like ovstatus, ovstop, ovstart, and you'll need to have access to logs, but beyond that you don't need a lot.
Just start by adding commands to a sudoers configuration, work with only that access, and tweak the sudoers configuration as required. It will work best if you've got a good relationship with the OS Admin team, and they can either quickly make changes to your allowed commands, or they can get you short-term full root access.
If you have a strained relationship with that team, and it takes a long time to get changes made, then it will be tough. But then you'll have lots of other organisational challenges anyway.
03-28-2014 05:02 AM
Sudo works fine even for a non-root installation. I dont have any issues with it on several large systems (>20K nodes , Veritas VCS clustering, Multiple SPIs, stand alone RPS)
Andy Kemp, CISSP
03-28-2014 02:28 PM
Thanks for the info Andy. It looks like our unix team will be handing all responsibility for the servers over to us, rather than share sudo. lol. So that is our solution right now.
03-28-2014 02:31 PM
Hi Lindsay, thanks for your reply. My team (monitoring platforms) is new and had no relationship with the unix group. As I mentioned below, it looks like they are going to simply hand over all responsibilities to us rather than give us temporary root access. I think this will work out better for us in the end. Thanks again!