|
|
Sponsored Content
Top Forums
Programming
Open Source
Vendor root access
Post 302975274 by zaxxon on Friday 10th of June 2016 04:22:40 AM
06-10-2016
What makes you sure that they don't need root access? There are of course commands, that can be only issued as root. Sure they can be added to sudoers, but they would have to list every one of them so you can allow them but this might be somewhat tideous.
It can also be of course for the ease of installation, that they ask for root access, which I do understand.
Yes, there are installations that can only be done as root or at least partially. When this is the case, there is usually some admin sitting next to them to at least check what they do. It should be inhouse and via remote session. That could be a criteria, that a software is only allowed on your systems when it can be setup with an own user in the selection process of a software before it is bought.
Though - there can always come code on your machines, that could do harm in terms of spying or destroying/manipulating data.
I doubt strongly, that anyone does a full code check of the software that is being installed on their systems even if it does not run with root permissions. For example - does anybody know what is in the complete code of an Oracle RDBMS installation? It is not even open source.
Even if it was open source software, who has the time, knowledge etc. to check every line of code if it has anything malicious in it.
Also usually most servers are placed in an internal network, protected by one or more firewalls, as long as you are no hosting company (they might have some mechanisms too, but I have no experience about it).
So any gathered data usually can not be sent outside your companies network as it would bounce against the firewall and hopefully alert the network guys for irregular communication.
There is still other ways to get the data out of the company, but this is broad and complex thing, which should be an issue for the security guys in the company.
And as Don says, it is always a question of trust and also of legal rules and liability in contracts with vendors which takes a big part in what you let them do or not.
You sometimes have to make compromises between security and get the stuff up and running.
Something like an IDS (AIDE, Tripwire, ...) can also be very good to check what will be modified on your systems. Also an audit system can come in very handy to log, what they do for later issues. These together with a good firewall handling will make ones life a tad less stressful in terms of security. Though you are right to have concerns and not let it pass half asleep
It can also be of course for the ease of installation, that they ask for root access, which I do understand.
Yes, there are installations that can only be done as root or at least partially. When this is the case, there is usually some admin sitting next to them to at least check what they do. It should be inhouse and via remote session. That could be a criteria, that a software is only allowed on your systems when it can be setup with an own user in the selection process of a software before it is bought.
Though - there can always come code on your machines, that could do harm in terms of spying or destroying/manipulating data.
I doubt strongly, that anyone does a full code check of the software that is being installed on their systems even if it does not run with root permissions. For example - does anybody know what is in the complete code of an Oracle RDBMS installation? It is not even open source.
Even if it was open source software, who has the time, knowledge etc. to check every line of code if it has anything malicious in it.
Also usually most servers are placed in an internal network, protected by one or more firewalls, as long as you are no hosting company (they might have some mechanisms too, but I have no experience about it).
So any gathered data usually can not be sent outside your companies network as it would bounce against the firewall and hopefully alert the network guys for irregular communication.
There is still other ways to get the data out of the company, but this is broad and complex thing, which should be an issue for the security guys in the company.
And as Don says, it is always a question of trust and also of legal rules and liability in contracts with vendors which takes a big part in what you let them do or not.
You sometimes have to make compromises between security and get the stuff up and running.
Something like an IDS (AIDE, Tripwire, ...) can also be very good to check what will be modified on your systems. Also an audit system can come in very handy to log, what they do for later issues. These together with a good firewall handling will make ones life a tad less stressful in terms of security. Though you are right to have concerns and not let it pass half asleep
Last edited by zaxxon; 06-10-2016 at 06:55 AM.. Reason: update after some additional thoughts
This User Gave Thanks to zaxxon For This Post:
|
|
10 More Discussions You Might Find Interesting
1. Linux
wish to know how to access root password it root password is forgotten in linux (1 Reply)
Discussion started by: wojtyla
1 Replies
2. SCO
We have SCO 5.0.5 and can't log into system as "root". The system indicates the password is incorrect. No one knows what happened.
How can we resolve this issue.. Are there files we can restore from backup...?
Any suggestions would be appreciated.
Thank you.. (2 Replies)
Discussion started by: RBurer
2 Replies
3. Shell Programming and Scripting
Hi,
I just wanted to know to what files root does not have access, not even read....I read that .profile for any user is the only file which root cannot access is it true..??...If we have to use passwords and ID's in a script can we use them in .profile and call them as parameters..???
... (3 Replies)
Discussion started by: mgirinath
3 Replies
4. Solaris
Hi,
The security auditor give a this statement , what to do ?
On my solaris system (S10)
"The User ID "root" should not be used on the system - the su and
the priviledged account should be used from each administrator for
accountability purposes"
What to do ? (3 Replies)
Discussion started by: falcon16
3 Replies
5. AIX
Hello
I have a question.
I have a box with Aix 5.3 but I want to disable root access direct from any terminal or console. I mean If I want to login to 10.10.10.10
login:root
password *********
Root access is not permited
Which file I have to edit. to the users first login with... (4 Replies)
Discussion started by: lo-lp-kl
4 Replies
6. UNIX for Dummies Questions & Answers
hi
i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help
Thanks (5 Replies)
Discussion started by: suryashikha
5 Replies
7. Shell Programming and Scripting
Currently in my system Red Hat is installed. And Many user connect to my machine via SSH Techia Terminal.
I want to give some users a root level access.
Can anyone please help me how to make it possible. I too searched on the Google but didn't find the correct way
Regards
ADI (4 Replies)
Discussion started by: adisky123
4 Replies
8. SuSE
I access over 100 SUSE SLES servers as root from my admin server, via ssh sessions using ssh keys, so I don't have to enter a password. My SUSE Admin server is setup in the following manner:
1) Remote root access is turned off in the sshd_config file.
2) I am the only user of this admin... (6 Replies)
Discussion started by: dvbell
6 Replies
9. Ubuntu
We are having a little problem on a server. We want that some users should be able to do e.g. sudo and become root, but with the restriction that the user can't change root password. That is, a guarantee that we still can login to that server and become root no matter of what the other users will... (2 Replies)
Discussion started by: 244an
2 Replies
10. OS X (Apple)
Mac users...
I updated this MBP from OSX 10.12.1 to the brand new OSX 10.12.2 two days ago.
A week ago I installed the Xcode suite.
Now the QT shell audio capture in another recent thread is broken when exporting a file.
It gives an error in a window, paraphrasing, The action is not... (4 Replies)
Discussion started by: wisecracker
4 Replies
LEARN ABOUT FREEBSD
unbound-anchor
unbound-anchor(8) unbound 1.5.1 unbound-anchor(8) NAME
unbound-anchor - Unbound anchor utility. SYNOPSIS
unbound-anchor [opts] DESCRIPTION
Unbound-anchor performs setup or update of the root trust anchor for DNSSEC validation. It can be run (as root) from the commandline, or run as part of startup scripts. Before you start the unbound(8) DNS server. Suggested usage: # in the init scripts. # provide or update the root anchor (if necessary) unbound-anchor -a "/var/unbound/root.key" # Please note usage of this root anchor is at your own risk # and under the terms of our LICENSE (see source). # # start validating resolver # the unbound.conf contains: # auto-trust-anchor-file: "/var/unbound/root.key" unbound -c unbound.conf This tool provides builtin default contents for the root anchor and root update certificate files. It tests if the root anchor file works, and if not, and an update is possible, attempts to update the root anchor using the root update certificate. It performs a https fetch of root-anchors.xml and checks the results, if all checks are successful, it updates the root anchor file. Otherwise the root anchor file is unchanged. It performs RFC5011 tracking if the DNSSEC information available via the DNS makes that possible. It does not perform an update if the certificate is expired, if the network is down or other errors occur. The available options are: -a file The root anchor key file, that is read in and written out. Default is /var/unbound/root.key. If the file does not exist, or is empty, a builtin root key is written to it. -c file The root update certificate file, that is read in. Default is /var/unbound/icannbundle.pem. If the file does not exist, or is empty, a builtin certificate is used. -l List the builtin root key and builtin root update certificate on stdout. -u name The server name, it connects to https://name. Specify without https:// prefix. The default is "data.iana.org". It connects to the port specified with -P. You can pass an IPv4 addres or IPv6 address (no brackets) if you want. -x path The pathname to the root-anchors.xml file on the server. (forms URL with -u). The default is /root-anchors/root-anchors.xml. -s path The pathname to the root-anchors.p7s file on the server. (forms URL with -u). The default is /root-anchors/root-anchors.p7s. This file has to be a PKCS7 signature over the xml file, using the pem file (-c) as trust anchor. -n name The emailAddress for the Subject of the signer's certificate from the p7s signature file. Only signatures from this name are allowed. default is dnssec@iana.org. If you pass "" then the emailAddress is not checked. -4 Use IPv4 for domain resolution and contacting the server on https. Default is to use IPv4 and IPv6 where appropriate. -6 Use IPv6 for domain resolution and contacting the server on https. Default is to use IPv4 and IPv6 where appropriate. -f resolv.conf Use the given resolv.conf file. Not enabled by default, but you could try to pass /etc/resolv.conf on some systems. It contains the IP addresses of the recursive nameservers to use. However, since this tool could be used to bootstrap that very recursive name- server, it would not be useful (since that server is not up yet, since we are bootstrapping it). It could be useful in a situation where you know an upstream cache is deployed (and running) and in captive portal situations. -r root.hints Use the given root.hints file (same syntax as the BIND and Unbound root hints file) to bootstrap domain resolution. By default a list of builtin root hints is used. Unbound-anchor goes to the network itself for these roots, to resolve the server (-u option) and to check the root DNSKEY records. It does so, because the tool when used for bootstrapping the recursive resolver, cannot use that recursive resolver itself because it is bootstrapping that server. -v More verbose. Once prints informational messages, multiple times may enable large debug amounts (such as full certificates or byte-dumps of downloaded files). By default it prints almost nothing. It also prints nothing on errors by default; in that case the original root anchor file is simply left undisturbed, so that a recursive server can start right after it. -C unbound.conf Debug option to read unbound.conf into the resolver process used. -P port Set the port number to use for the https connection. The default is 443. -F Debug option to force update of the root anchor through downloading the xml file and verifying it with the certificate. By default it first tries to update by contacting the DNS, which uses much less bandwidth, is much faster (200 msec not 2 sec), and is nicer to the deployed infrastructure. With this option, it still attempts to do so (and may verbosely tell you), but then ignores the result and goes on to use the xml fallback method. -h Show the version and commandline option help. EXIT CODE
This tool exits with value 1 if the root anchor was updated using the certificate or if the builtin root-anchor was used. It exits with code 0 if no update was necessary, if the update was possible with RFC5011 tracking, or if an error occurred. You can check the exit value in this manner: unbound-anchor -a "root.key" || logger "Please check root.key" Or something more suitable for your operational environment. TRUST
The root keys and update certificate included in this tool are provided for convenience and under the terms of our license (see the LICENSE file in the source distribution or http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or not suitable to your purpose. By running "unbound-anchor -l" the keys and certificate that are configured in the code are printed for your convenience. The build-in configuration can be overridden by providing a root-cert file and a rootkey file. FILES
/var/unbound/root.key The root anchor file, updated with 5011 tracking, and read and written to. The file is created if it does not exist. /var/unbound/icannbundle.pem The trusted self-signed certificate that is used to verify the downloaded DNSSEC root trust anchor. You can update it by fetching it from https://data.iana.org/root-anchors/icannbundle.pem (and validate it). If the file does not exist or is empty, a builtin version is used. https://data.iana.org/root-anchors/root-anchors.xml Source for the root key information. https://data.iana.org/root-anchors/root-anchors.p7s Signature on the root key information. SEE ALSO
unbound.conf(5), unbound(8). NLnet Labs Dec 8, 2014 unbound-anchor(8)