After a battle of years, "academic freedom" was invoked and very senior
management, in its infinite wisdom, has decided that our users (mostly
researchers) should have root access (or full sudo, which amounts to the
same thing) to their Linux workstations.
Does anybody have experience running a Unix/Linux network like this?
Remember full sudo means the ability to 'sudo su' and become any other
user, making permissions (even across NFS) useless. It also means the
ability to play with/pilfer/replace Kerberos keytabs, allowing one to
impersonate any box to which they have access. The support nightmare
cannot be used as an argument against this because users have convinced
management that "that's what support is for."
All I can do is control the servers and decide how services will be
presented and which hoops users should go through to be able to use
server resources.
The current environment is basically Kerberos authentication, NIS
authorization and NFS/CUPS services. Most of the clients are owned,
built, maintained and supported by my organization, but some users will
use their new found freedom to build/buy their own boxes.
The plan is to move away from NIS to LDAP and from NFS to AFS.
What other problems do people see? Any thoughts and suggestions will be
greatly appreciated.
TIA!
Yuri
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
