I would never give the application team access.
If you hand over access to
root then you have no idea what they could insert. Consider that they put on a service for a port that they choose and have it run the Korn shell. From any other server, a simple
telnet to that port will fire up a Korn shell and give them root access again.
There are a myriad of other possibilities too. You need to turn this completely around.
Find out:-
- What they need to do
- Why they think they must have root access
I would bet that they can't, but it's just convenient. I f you feel you really have to, use
sudo to grant them the minimum privilege to do their work and if you have concerns that they could escape to a shell or set a script to SUID etc., then keep them away from it.
Even something as critical as creating an Oracle database does not need the DBA to have root authority. True, someone has to install the software and allocate disk space etc. but that is your job.
Perhaps have them tell you what to do and you drive the process if you are happy with it.
If you have a really great car and you give them the key, what's to stop them copying the key and borrowing it when you're not looking and getting you speeding points or just wrecking it and running away?
Would you give them the password and trust them to make an update on your on-line bank account without stealing the cash?
Be honest with yourself. If they mess it up, who is in the firing line?
Just my opinion.
Robin