[prev in list] [next in list] [prev in thread] [next in thread] 

List:       beowulf
Subject:    your mail
From:       Peter Lister P.Lister () cranfield ! ac ! uk
Date:       1998-04-22 5:45:43
[Download RAW message or body]

> On Fri, 17 Apr 1998, Capt Bohn, Christopher A. wrote:
> 
> > I'm setting up a Beowulf cluster, and my group was discussing whether or not
> > users should be permitted superuser privelages full-time.  From the
> > perspective of protecting the system, we shudder at the thought, but we
> > understand there are certain features for measuring performance, etc, that
> > would be useful for studying the system's behavior.
> > 
> > Does anybody have any insight regarding whether the benefits outweight the
> > risks?
> 
> I would say that benefits almost certainly do not outweigh the risks --
> unless you have only a very few users, can manage a fair amount of root
> accountability (where you can assign blame for the various disasters
> that will almost certainly follow when novices hold absolute power) and
> are in complete isolation from the internet.

Agreed. This is a fairly common requirement and there are tools which provide
access to superuser privs for named unprivileged users, avoiding pitfalls like
suid scripts. You can define exactly what repertoire of commands are available
to which people, though of course you have to be sure that you don't
inadvertantly give people access to shell or something which equivalent power,
but at least having a single configuration with this kind of tool makes it
easier to keep track of who can do what. I've used a basic one called osh for
allowing people to mount CDs on OSes which don't have a 'user' flag in fstab.
There are others; have a look around.

Ultimately, you do your users no favours by allowing them to accidentally nuke the \
system; even if you trust their honesty and competence. I don't trust *myself* not to \
screw things up, so I minimise my one root activity.

Peter Lister                             Email: p.lister@cranfield.ac.uk
Computer Centre, Cranfield University    Voice: +44 1234 754200 ext 2828
Cranfield, Bedfordshire MK43 0AL UK        Fax: +44 1234 751814         
---     88.2% of statistics are made up on the spot - Vic Reeves     ---


[prev in list] [next in list] [prev in thread] [next in thread]