[Planetlab-devel] site_admin account for boot cd

Sedayao, Jeff jeff.sedayao at intel.com
Tue Dec 9 18:44:11 EST 2008 

Stephen,

I'd generally say no on the general security principal of least privileges.  That raises the following questions: 

1) What do you need site admins to do?
2) Do they really need root to do it?  
3) What DON'T you want site admins to do.

Regarding 3, would you want site admins to delete slices on their own nodes that they found annoying before asking anyone?  That's the kind of thing that would be enabled if you gave them root.

Jeff 

-----Original Message-----
From: devel-bounces at planet-lab.org [mailto:devel-bounces at planet-lab.org] On Behalf Of Stephen Soltesz
Sent: Tuesday, December 09, 2008 1:25 PM
To: devel at lists.planet-lab.org
Subject: [Planetlab-devel] site_admin account for boot cd

Hello,

I am exploring the addition of a site_admin account to the bootcd.

I wanted to get others feedback on the trade-offs of either thinly slicing the 
permitted commands available via 'sudo' versus giving the site_admin effectively 
root permissions.

I am inclined to simply grant root privilege to the site_admin account.  The 
benefits of this approach are:

  * simplicity.  We do not have to make an exhaustive list of commands to 
provide.  Additionally, when we discover a command that we've missed, we will 
not have a pool of N machines with Bootcds that don't have that command 
available.  Therefore providing tips to technical contacts over time will be 
less complicated.
  * maximum flexibility for the local tech contact to perform diagnostics.
  * no complications or multiple-iterations from tech contacts when they run up 
against some command they would like to run but cannot.

The disadvantages I can see are:

  * the barrier to access data on the machine is lowered.  While physical access 
weakens any security system, allowing someone to just log in at the console 
lowers it even further.

  * We will potentially miss interesting diagnostics that the users are running. 
  Meaning if we give a list of commands then we'll know what they're trying to 
do, basically.  When they try or need to do something that we haven't thought 
of, we should make a note of it.  With out this feedback we lose some visibility 
into the kinds of problems sites run into.

What do others think?

Stephen.

_______________________________________________
Devel mailing list
Devel at lists.planet-lab.org
https://lists.planet-lab.org/mailman/listinfo/devel

More information about the Devel mailing list