1 |
On Wed, February 19, 2014 00:06, Alan McKinnon wrote: |
2 |
> On 18/02/2014 14:16, J. Roeleveld wrote: |
3 |
>> On Tue, February 18, 2014 12:17, Alan McKinnon wrote: |
4 |
>>> It's a little more complex than just that. It's an auth service and |
5 |
>>> user |
6 |
>>> are frequently added, removed and modified. The daemon does syntax |
7 |
>>> checking on it's config file at startup or after being HUP'ed but that |
8 |
>>> only finds static errors. It catches things like adding people to a |
9 |
>>> grop |
10 |
>>> instead of to a group, but misses dynamic mistakes like adding users to |
11 |
>>> groups that don't exist. |
12 |
>> |
13 |
>> The auth-service gets the current state from a static file that is only |
14 |
>> read upon service-start? |
15 |
> |
16 |
> Yes. |
17 |
> |
18 |
> It's a good design for reasonably static userbases. The user details, |
19 |
> priviledge definitions, passwords hashes and such are stored in a single |
20 |
> flat file readable only by root and protected by file permissions. |
21 |
> Overall protection is provided by restricted shell access to the host. |
22 |
|
23 |
True, then again, I use ldap for the user accounts at home. |
24 |
Allows my wife to change her own password and I can quickly add an account |
25 |
in case someone needs access. |
26 |
|
27 |
> We're not talking about AT&T's radius servers for dsl users here who |
28 |
> sign up on a web form - for that you would use a database backend - this |
29 |
> is for the company's network support personnel who log into the backbone |
30 |
> and configure the network itself. There's no rush to add new (and |
31 |
> unproven...) users so this scheme suits me just fine. Yes, it has quirks |
32 |
> but these no longer bother me myself, we get caught out by new sysadmins |
33 |
> who have not felt that pain yet |
34 |
|
35 |
Show them a blood-stained (ok, some dark red paint) stick when they start. |
36 |
Then tell them it's used when they kill that service? ;) |
37 |
|
38 |
>>> Despite this all being run out of cron with wrapper scripts to check |
39 |
>>> validity, automated additions and safety checks between all three |
40 |
>>> daemons, plus being fully documented on the internal wiki and in bold |
41 |
>>> blinking red caps in the login motd, people still find ways to do stuff |
42 |
>>> things in an attempt to fix it. |
43 |
>> |
44 |
>> (OT: Does the bold blinking red caps work on all terminals? :) ) |
45 |
> |
46 |
> |
47 |
> Um, OK, you got me there. I was exaggerating! |
48 |
|
49 |
Too bad, I could use that on one of my machines :) |
50 |
|
51 |
>>> The daemon also tries to log these errors, by writing to a log file it |
52 |
>>> has no write permissions on. |
53 |
>> |
54 |
>> "setuid" on the group with group-write in the umask not an option? |
55 |
> |
56 |
> Hmmm, that's worth investigating. I hadn't really considered that as I |
57 |
> have an aversion to trying to use umask as a control for anything. |
58 |
|
59 |
Same here, but that could work. |
60 |
Then again, I believe setuid on the folder does the same on some OSs. (Not |
61 |
Linux though) |
62 |
|
63 |
>>> There is nothing I can do about the quality of sysadmins, I have no |
64 |
>>> input into the HR process and damagement think cheaper is always |
65 |
>>> better, |
66 |
>>> including skills. What I can do, is find ways to make the software more |
67 |
>>> resistant to errors than it already is. |
68 |
>> |
69 |
>> And only grant access permissions to these rookies once they have proven |
70 |
>> they understand rule #1: If In Doubt, Call Someone Who Knows! |
71 |
> |
72 |
> Hah! I fought that good fight for years and fought it well. They don't |
73 |
> call me the sysadmin from hell around here without good reason. And I |
74 |
> did manage to get a cowboy network under control and instill respect for |
75 |
> how much breakage Cisco's products can cause. |
76 |
> |
77 |
> It's getting harder to grant access based purely on expertise, |
78 |
> especially when someone crunched the numbers. It turns out that the cost |
79 |
> of fixing mistakes is far less than the cost of leaving new untrained |
80 |
> people unutilized and have support tickets pile up... |
81 |
|
82 |
True, unfortunately... |
83 |
Then again, a core of really good people can be the better option. But |
84 |
then you end up becoming overly dependent on that group. |
85 |
|
86 |
>> But yes, I fully understand the methods of HR and Damagement. |
87 |
>> It is a financial mistake and risk not to include technical expertise |
88 |
>> checks in the recruitement fase for technical positions. |
89 |
> |
90 |
> Interesting story: |
91 |
> |
92 |
> I once had a good shouting match with a support manager about the |
93 |
> quality of his recruits. I demanded to know why he hired so many |
94 |
> clueless idiots (my exact words). This manager knows me well so he just |
95 |
> smiled and said "Alan, you didn't get to see the applicants we rejected. |
96 |
> These are the best in the market who applied". |
97 |
> |
98 |
> *That* was a wake-up call of note :-) |
99 |
|
100 |
Either done during the "boom" of IT, or wrong recruitment tactics. |
101 |
|
102 |
>> How much does it cost the company each time this goes wrong and someone |
103 |
>> like you has to come online to fix the issue? |
104 |
>> That is what Damagement needs to understand. |
105 |
> |
106 |
> Surprisingly, it's not too expensive. There's always one of us on duty |
107 |
> or standby and outages don't continue unnoticed for long. Longest that I |
108 |
> recall is 3 minutes, then the phone starts ringing non-stop. remember, |
109 |
> this system is internal, it does not service customers. |
110 |
|
111 |
3 minutes downtime is acceptable, even for customers. |
112 |
They generally first assume they are making a mistake ;) |
113 |
|
114 |
-- |
115 |
Joost |