|
|
Sponsored Content
Top Forums
Programming
Open Source
Vendor root access
Post 302975274 by zaxxon on Friday 10th of June 2016 04:22:40 AM
06-10-2016
What makes you sure that they don't need root access? There are of course commands, that can be only issued as root. Sure they can be added to sudoers, but they would have to list every one of them so you can allow them but this might be somewhat tideous.
It can also be of course for the ease of installation, that they ask for root access, which I do understand.
Yes, there are installations that can only be done as root or at least partially. When this is the case, there is usually some admin sitting next to them to at least check what they do. It should be inhouse and via remote session. That could be a criteria, that a software is only allowed on your systems when it can be setup with an own user in the selection process of a software before it is bought.
Though - there can always come code on your machines, that could do harm in terms of spying or destroying/manipulating data.
I doubt strongly, that anyone does a full code check of the software that is being installed on their systems even if it does not run with root permissions. For example - does anybody know what is in the complete code of an Oracle RDBMS installation? It is not even open source.
Even if it was open source software, who has the time, knowledge etc. to check every line of code if it has anything malicious in it.
Also usually most servers are placed in an internal network, protected by one or more firewalls, as long as you are no hosting company (they might have some mechanisms too, but I have no experience about it).
So any gathered data usually can not be sent outside your companies network as it would bounce against the firewall and hopefully alert the network guys for irregular communication.
There is still other ways to get the data out of the company, but this is broad and complex thing, which should be an issue for the security guys in the company.
And as Don says, it is always a question of trust and also of legal rules and liability in contracts with vendors which takes a big part in what you let them do or not.
You sometimes have to make compromises between security and get the stuff up and running.
Something like an IDS (AIDE, Tripwire, ...) can also be very good to check what will be modified on your systems. Also an audit system can come in very handy to log, what they do for later issues. These together with a good firewall handling will make ones life a tad less stressful in terms of security. Though you are right to have concerns and not let it pass half asleep
It can also be of course for the ease of installation, that they ask for root access, which I do understand.
Yes, there are installations that can only be done as root or at least partially. When this is the case, there is usually some admin sitting next to them to at least check what they do. It should be inhouse and via remote session. That could be a criteria, that a software is only allowed on your systems when it can be setup with an own user in the selection process of a software before it is bought.
Though - there can always come code on your machines, that could do harm in terms of spying or destroying/manipulating data.
I doubt strongly, that anyone does a full code check of the software that is being installed on their systems even if it does not run with root permissions. For example - does anybody know what is in the complete code of an Oracle RDBMS installation? It is not even open source.
Even if it was open source software, who has the time, knowledge etc. to check every line of code if it has anything malicious in it.
Also usually most servers are placed in an internal network, protected by one or more firewalls, as long as you are no hosting company (they might have some mechanisms too, but I have no experience about it).
So any gathered data usually can not be sent outside your companies network as it would bounce against the firewall and hopefully alert the network guys for irregular communication.
There is still other ways to get the data out of the company, but this is broad and complex thing, which should be an issue for the security guys in the company.
And as Don says, it is always a question of trust and also of legal rules and liability in contracts with vendors which takes a big part in what you let them do or not.
You sometimes have to make compromises between security and get the stuff up and running.
Something like an IDS (AIDE, Tripwire, ...) can also be very good to check what will be modified on your systems. Also an audit system can come in very handy to log, what they do for later issues. These together with a good firewall handling will make ones life a tad less stressful in terms of security. Though you are right to have concerns and not let it pass half asleep
Last edited by zaxxon; 06-10-2016 at 06:55 AM.. Reason: update after some additional thoughts
This User Gave Thanks to zaxxon For This Post:
|
|
10 More Discussions You Might Find Interesting
1. Linux
wish to know how to access root password it root password is forgotten in linux (1 Reply)
Discussion started by: wojtyla
1 Replies
2. SCO
We have SCO 5.0.5 and can't log into system as "root". The system indicates the password is incorrect. No one knows what happened.
How can we resolve this issue.. Are there files we can restore from backup...?
Any suggestions would be appreciated.
Thank you.. (2 Replies)
Discussion started by: RBurer
2 Replies
3. Shell Programming and Scripting
Hi,
I just wanted to know to what files root does not have access, not even read....I read that .profile for any user is the only file which root cannot access is it true..??...If we have to use passwords and ID's in a script can we use them in .profile and call them as parameters..???
... (3 Replies)
Discussion started by: mgirinath
3 Replies
4. Solaris
Hi,
The security auditor give a this statement , what to do ?
On my solaris system (S10)
"The User ID "root" should not be used on the system - the su and
the priviledged account should be used from each administrator for
accountability purposes"
What to do ? (3 Replies)
Discussion started by: falcon16
3 Replies
5. AIX
Hello
I have a question.
I have a box with Aix 5.3 but I want to disable root access direct from any terminal or console. I mean If I want to login to 10.10.10.10
login:root
password *********
Root access is not permited
Which file I have to edit. to the users first login with... (4 Replies)
Discussion started by: lo-lp-kl
4 Replies
6. UNIX for Dummies Questions & Answers
hi
i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help
Thanks (5 Replies)
Discussion started by: suryashikha
5 Replies
7. Shell Programming and Scripting
Currently in my system Red Hat is installed. And Many user connect to my machine via SSH Techia Terminal.
I want to give some users a root level access.
Can anyone please help me how to make it possible. I too searched on the Google but didn't find the correct way
Regards
ADI (4 Replies)
Discussion started by: adisky123
4 Replies
8. SuSE
I access over 100 SUSE SLES servers as root from my admin server, via ssh sessions using ssh keys, so I don't have to enter a password. My SUSE Admin server is setup in the following manner:
1) Remote root access is turned off in the sshd_config file.
2) I am the only user of this admin... (6 Replies)
Discussion started by: dvbell
6 Replies
9. Ubuntu
We are having a little problem on a server. We want that some users should be able to do e.g. sudo and become root, but with the restriction that the user can't change root password. That is, a guarantee that we still can login to that server and become root no matter of what the other users will... (2 Replies)
Discussion started by: 244an
2 Replies
10. OS X (Apple)
Mac users...
I updated this MBP from OSX 10.12.1 to the brand new OSX 10.12.2 two days ago.
A week ago I installed the Xcode suite.
Now the QT shell audio capture in another recent thread is broken when exporting a file.
It gives an error in a window, paraphrasing, The action is not... (4 Replies)
Discussion started by: wisecracker
4 Replies
LEARN ABOUT DEBIAN
network-test
network-test(1) ifupdown-extra network-test(1) NAME
network-test - check the network and test if everything is fine SYNOPSIS
network-test DESCRIPTION
The network-test program will test your system's network configuration using basic tests and providing both information (INFO), warnings (WARN) and possible errors (ERR) based on the results of these tests. It will check and report on: * Status of the network interfaces of the system including: link status, IP addressing and number of transmitted packets and error rates. * Accessibility to configured routes to external networks, including the default network route, checking the routers configured to give access to the network * Proper host resolution, testing DNS resolution against a known host. * Proper network connectivity, testing reachability of remote hosts using ICMP and simulating a web connections to a remote web server (the web server used for the tests can be configured through the environment, see below) The program does not need special privileges to run as it does not do any system change. However, the behaviour of the program when running as an unprivileged user is not the same as running as system administrator (i.e. root). If the program is run as system administrator it will try to run some tools that are only available to it to speed up some of the tests. The program relies on the use of ip, netstat, ifconfig, arp and (when running as root) ethtool or mii-tool, to obtain information about the system's networking configuration (status of available interfaces and configured network routes). It also uses ping, host and nc (netcat) to do tests of the network connectivity and ensure that the host can connect to the Internet. ENVIRONMENT
The program will, by default, check www.debian.org and its associated web server. If you want to use a different check host you can setup the environment as follows: CHECK_HOST The name of a host to use when testing DNS resolution. CHECK_IP_ADRESS The IP address of the host defined in CHECK_HOST CHECK_WEB_HOST The web server to use for testing purposes when testing network connectivity. CHECK_WEB_PORT The web server port of server CHECK_WEB_HOST that will be used for testing. EXIT STATUS
The program will exit with error (1) if any of the network checks fail. BUGS
This program does not have super cow powers so it is unable to fix the errors by itself. It is also unable to detect if the network is failing due to a local firewall policy been in place so make sure you check your system logs with dmesg (1) to detect if some of the active tests are being dropped due to your local firewall. Other known issues that might make the program not work reliable are: * IPv6: The program does not yet explicitly handle IPv6 only hosts, some of the tests might be biased towards IPv4 and might fail in IPv6 environments. * Proxies: The program does not check network connectivity for hosts that connect through the Internet using a proxy gateway for services. The program might report issues in hosts using proxies even when these might connect to the Internet properly through proxied services. * Firewall environments: some of the tests rely on direct connectivity to external hosts, which are tested using ICMP queries (through the use of ping. These tests might fail in hosts installed in networking environments with firewalls that block outbound ICMP communication. SEE ALSO
ip (8), netstat (8), ifconfig (8), ethtool (8), mii-tool (8), ping (8), nc (1) and host (1). AUTHOR
network-test was written by Javier Fernandez-Sanguino for the Debian GNU/Linux distribution. COPYRIGHT AND LICENCE
Copyright (C) 2005-2011 Javier Fernandez-Sanguino <jfs@debian.org>. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. On Debian systems, a copy of the GNU General Public License may be found in /usr/share/common-licenses/GPL. ifupdown-extra August 23 2011 network-test(1)