[Planetlab-devel] site_admin account for boot cd
jeff.sedayao at intel.com
Tue Dec 9 18:44:11 EST 2008
I'd generally say no on the general security principal of least privileges. That raises the following questions:
1) What do you need site admins to do?
2) Do they really need root to do it?
3) What DON'T you want site admins to do.
Regarding 3, would you want site admins to delete slices on their own nodes that they found annoying before asking anyone? That's the kind of thing that would be enabled if you gave them root.
From: devel-bounces at planet-lab.org [mailto:devel-bounces at planet-lab.org] On Behalf Of Stephen Soltesz
Sent: Tuesday, December 09, 2008 1:25 PM
To: devel at lists.planet-lab.org
Subject: [Planetlab-devel] site_admin account for boot cd
I am exploring the addition of a site_admin account to the bootcd.
I wanted to get others feedback on the trade-offs of either thinly slicing the
permitted commands available via 'sudo' versus giving the site_admin effectively
I am inclined to simply grant root privilege to the site_admin account. The
benefits of this approach are:
* simplicity. We do not have to make an exhaustive list of commands to
provide. Additionally, when we discover a command that we've missed, we will
not have a pool of N machines with Bootcds that don't have that command
available. Therefore providing tips to technical contacts over time will be
* maximum flexibility for the local tech contact to perform diagnostics.
* no complications or multiple-iterations from tech contacts when they run up
against some command they would like to run but cannot.
The disadvantages I can see are:
* the barrier to access data on the machine is lowered. While physical access
weakens any security system, allowing someone to just log in at the console
lowers it even further.
* We will potentially miss interesting diagnostics that the users are running.
Meaning if we give a list of commands then we'll know what they're trying to
do, basically. When they try or need to do something that we haven't thought
of, we should make a note of it. With out this feedback we lose some visibility
into the kinds of problems sites run into.
What do others think?
Devel mailing list
Devel at lists.planet-lab.org
More information about the Devel