|
Grex > Coop13 > #363: The Temporary Cross Root Incident Item | |
|
| Author |
Message |
| 25 new of 128 responses total. |
janc
|
|
response 65 of 128:
| 
Sep 26 15:56 UTC 2006 |
I can't get into a big fury about this, because, as it happens, I am
pretty confortable with Dan having root access. So no harm done.
However, I agree that this is a pretty huge deviation from accepted
policy. The talk in the policy about granting limited access to
specific users, refered to things like the "cfadm" account and treasurer
account, that allow people to do very specific things in very specific
parts of the system. In some cases, we've given people temporary access
to root, but it was done with a person with official access to root
logging them in and sitting next to them the whole time they were on (I
remember watching Mike McNalley do some work on Grex and having keats
watch me while I did work on M-Net).
To just hand someone root, access and let them use it without oversight
is a declaration of total trust in that person. While I may trust Dan
that far, and Mic may, and we may even be well justified in that, it
isn't really our perogative to make that decision for Grex. That has
always been the board's perogative. And that's as it should be. If the
board doesn't decide who is root, then the board really isn't in any
substantive control of Grex.
So I do feel that this was an improper action.
Please don't do it again.
Thanks.
|
tod
|
|
response 66 of 128:
|
Sep 26 17:33 UTC 2006 |
Can someone post a list of current holders of root and what their role is?
|
nharmon
|
|
response 67 of 128:
|
Sep 26 17:37 UTC 2006 |
http://cyberspace.org/staffnote/ *snort*
|
cross
|
|
response 68 of 128:
|
Sep 26 17:44 UTC 2006 |
Regarding #65; Given the outcome, I have no intention of repeating it again.
However, you bring up a good point: the board should have control over
access to root. Mic's access is still shut off, even though he has board
approval to have that access. :-/
Regarding #66; Grepping the wheel account out of /etc/group shows you who
has root access. I'm not sure how one would figure out what their primary
responsibilities are. The current contents of wheel are:
wheel:*:0:root,bhoward,gelinas,glenda,i,janc,kip,mcnally,mdw,remmers,srw,steve
root is in there only for redundancy. bhoward hasn't been particularly
active since January, I'm afraid. i handles most conference related stuff.
srw answers the bulk of user emails. gelinas and remmers do general system
stuff. mdw hasn't been particularly active in two years (before this past
weekend, he'd only logged in about twice in the last two years or so).
steve does a lot of the day-to-day grunt work, as we know. janc does stuff
from time to time as he can fit it into his schedule. I'm not sure what
glenda, kip, and mcnally have been up to recently, but I haven't followed
staff on a day-to-day basis for a while now.
|
nharmon
|
|
response 69 of 128:
|
Sep 26 17:46 UTC 2006 |
Wouldn't the principle of least privilege suggest that non-active staff
be removed from the wheel group until such a time when they're willing
to be more active?
|
cross
|
|
response 70 of 128:
|
Sep 26 17:55 UTC 2006 |
Regarding #67; Hey! I'm listed in there!
|
cross
|
|
response 71 of 128:
|
Sep 26 17:56 UTC 2006 |
Yes. But I think that's opening up a whole other can of worms.
|
tod
|
|
response 72 of 128:
|
Sep 26 18:15 UTC 2006 |
re #69
Eleven roots does seem pretty extravagant.
re #68
I don't know squat about staff but as a user I would've guessed the root list
would be: gelinas, janc, mcnally, remmers, steve, and spooked
My assumption is based on visible participation of those folks on Grex.
Even so, six roots almost seems excessive.
|
cross
|
|
response 73 of 128:
|
Sep 26 19:23 UTC 2006 |
Don't discount srw in that list. He does a lot of down-and-dirty work
supporting users who write asking for helps, and often needs root access to
do that (fixing mangled dot files, and things like that).
|
tod
|
|
response 74 of 128:
|
Sep 26 23:42 UTC 2006 |
re #73
I don't doubt there are other active roots. I was just relaying my impression
based on the staff folks I see in bbs.
|
cross
|
|
response 75 of 128:
|
Sep 26 23:44 UTC 2006 |
Oh, okay.
|
arthurp
|
|
response 76 of 128:
|
Oct 1 04:17 UTC 2006 |
I guess I'll preach for a while.
Does everyone remember from math that if a=b and b=c then a=c?
On a UNIX like system such as Grex giving root access for a few seconds
can result in myriad difficult to detect changes to the system. Some of
these could be backdoor access, or data destruction. I must say again
that these things can happen very quickly. Perhaps tiny fractions of a
second.
Among staff it is pretty well known that STeve is particularly expert
and active with regard to security.
Given the above I would expect STeve to react quickly with sufficient
force to *ensure* reduction in security breach to any situation which
seemed to be a breach, and then continue to act to investigate, clarify,
gather evidence, and resolve the situation with coordination with other
staff and the Board.
As a Computer Security Specialist with clients that include Banks,
Universities, accounting firms, and etc I'll tell you that these are the
facts.
Now come my opinions.
STeve was correct with respect to his technical actions. Perhaps he was
a little harsh with some of his words, but knowing what I know about
staff procedures as a former staffer myself, and seeing the wording used
in the discussion I see how in the situation STeve could have taken
things to be 'playing dumb'. Not that I think that was happening, but
that he could have.
With the above foundation about computer security I think that STeve did
things right. That he didn't make any mistakes. And that nearly all
the posts in this and other items amount to political powerplaying to
gather support for a position from people who have little to no
understanding of the details and methods of systems management.
The correct way to handle this would be between the parties concerned.
That list would be: Board; Staff; Cross; Spooked. Any person schooled
in leadership and management knows this. The motion to change the
wording of the relevant policy is a separate issue that rightly belongs
in COOP. Since some people have chosen to step outside normal
management practices and engage in juvenile sympathy gathering I feel I
can no longer keep quiet on this and must explain some of the normal
practices for situations like this so that we might all behave with more
professionalism next time something happens that needs resolving.
Thank you STeve for trying so hard to keep Grex secure from all sorts of
security threats be they real active situations, abstract potential
eventualities, or possible vague incidents.
|
mcnally
|
|
response 77 of 128:
|
Oct 1 04:41 UTC 2006 |
re #76:
> On a UNIX like system such as Grex giving root access for a few
> seconds can result in myriad difficult to detect changes to the
> system. Some of these could be backdoor access, or data destruction.
> I must say again that these things can happen very quickly. Perhaps
> tiny fractions of a second.
By that argument once cross had had root access it was much too
late for STeve's revocation of root access to fix the problem.
Your statement seems to me to be working at cross-purposes (no pun
intended) to your argument.
> Among staff it is pretty well known that STeve is particularly
> expert and active with regard to security.
It is?
Without minimizing STeve's skills or his contributions to Grex,
I'd have to say I'm not aware of any special expertise he has in
this area. He has strongly- held opinions on the subject and has
a considerable body of experience as a professional sysadmin,
but I don't agree that that's the same as "particularly expert."
I've had a rather busy and stressful couple of weeks and can't
recall at the moment if I've previously made my opinion on this
incident clear but in my opinion mic made a relatively minor error
in judgment and STeve acted in a way that I think speaks volumes
about his attitude towards grex and towards other staff members.
While I don't doubt that his intentions were to protect Grex from
what he perceived as a threat, I think his actions demonstrate a
proprietary feeling towards Grex's admin privileges that I'm not
entirely comfortable with.
|
arthurp
|
|
response 78 of 128:
|
Oct 1 05:18 UTC 2006 |
STeve acted in response to an apparent security incident. This requires
immediate and strong response.
Dan et. al. did not. The two situations are completely different and
not interchangeable. What you are saying is that if I gain root somehow
and put my name in group wheel then it is too late for someone to revoke
my new rights as a member of staff.
How can so many people fail to understand the difference between system
administration and security response. Again, system admin is a team
effort and is not time critical. Security response is time critical
beyond the limits of most people's imagination which necessarily makes
it an individual effort.
|
mcnally
|
|
response 79 of 128:
|
Oct 1 05:42 UTC 2006 |
re #78:
> What you are saying is that if I gain root somehow and put my name
> in group wheel then it is too late for someone to revoke my new rights
> as a member of staff.
If I cannot know for certain that your intentions are not malicious
then it is, in fact, too late for someone to effectively re-secure the
system simply by revoking your membership in the staff & wheel groups.
That's one reason I'm kind of puzzled by STeve's reaction. On the one
hand if he didn't believe that mic and cross were out to harm the system
then his approach seems like a ham-handed overreaction. On the other
hand if he did believe that mic and cross were a threat to the system
then the steps he took to "secure" grex after discovering the situation
(which wasn't particularly hidden to begin with) were totally inadequate.
> How can so many people fail to understand the difference between system
> administration and security response. Again, system admin is a team
> effort and is not time critical. Security response is time critical
> beyond the limits of most people's imagination which necessarily makes
> it an individual effort.
I've got an even worse problem -- I can't even understand what it is
you're trying to say above.
You appear to be arguing that in response to a security breach, immediate
action is required to restore the security of the system and that STeve
was therefore correct to act unilaterally without waiting for the board
to sort things out. I don't particularly disagree with that if that's
what you're saying, but frankly what STeve did really doesn't begin to
come close to re-securing a breached system, about the only attackers it
would actually be effective against were people who weren't attacking in
the first place.
|
naftee
|
|
response 80 of 128:
|
Oct 1 06:15 UTC 2006 |
i'm with mike.
re 76 You're acting as if this were a system where the board and staff total
about a hundred different technicians who don't know themselves that well.
GreX just isn't that. It's a community where a lot of the staffers happen
to know each other in person.
|
spooked
|
|
response 81 of 128:
|
Oct 1 13:41 UTC 2006 |
A couple of things, there was no security threat -- any non-moron can see
this.
STeve's response was worse than my actions. It was inappropriate, and
quite frankly rude!
If I or Dan wanted to harm the system, it would have been done long ago.
STeve's actions, and more important, his words - and lack there of - since
the episode have hurt Grex much more than me taking an innocent
initiative.
Just my 2c.
|
other
|
|
response 82 of 128:
|
Oct 1 14:16 UTC 2006 |
I think arthurp is misapplying a legitimate point.
|
cross
|
|
response 83 of 128:
|
Oct 1 20:48 UTC 2006 |
Regarding #82; I agree with Eric. Arthurp's argument doesn't fit this
situation particularly well.
And, with respect to #76; "juvenile sympathy gathering" - are you serious?
|
drew
|
|
response 84 of 128:
|
Oct 2 02:34 UTC 2006 |
I don't know how it is on Grex, but on my Linux system in the
sudoers man page I found a few options that may be of help here.
To wit:
Defaults
--------
mail_always Send mail to the mailto user every time a users runs sudo.
This flag is off by default.
Turn it ON.
mailto Address to send warning and error mail to. The address
should be enclosed in double quotes (") to protect against
sudo interpreting the @ sign. Defaults to root.
This one should be set to a mailing *list*. The list should include
accounts held by all board and staff members on systems *other than
grex*. (I have a bunch of gmail invites if anybody needs some.) And for
good measure, add to the list an account on a machine on the same
network as the grex machine, in the same room, which is otherwise NOT
connected to the internet. (eg, you have to goto the Co-lo building and
sit down at it to login to it.)
logfile Path to the sudo log file (not the syslog log file). Set-
ting a path turns on logging to a file; negating this
option turns it off.
Send this one, also, to another machine, via NFS or similar network
file sharing. Said system will be charged with the task of backing this
file up every 5 seconds or whatever is appropriate, and|or otherwise
keeping it from being deleted or overwritten. (Allow append only.)
In this manner, a user in group wheel can still do anything he likes,
including install back doors, and even stop sudo from keeping such logs.
But by the time he does, if the logs and notices get sent offsystem, the
cat will be out of the bag, and everyone will know who to hold responsible.
Also, just for fun:
lecture This option controls when a short lecture will be printed
along with the password prompt. It has the following pos-
sible values:
never Never lecture the user.
once Only lecture the user the first time they run sudo.
always Always lecture the user.
If no value is specified, a value of once is implied.
Negating the option results in a value of never being used.
The default value is once.
lecture_file
Path to a file containing an alternate sudo lecture that
will be used in place of the standard lecture if the named
file exists.
And one that especially appeals to me:
insults If set, sudo will insult users when they enter an incorrect
password. This flag is off by default.
|
spooked
|
|
response 85 of 128:
|
Oct 2 02:57 UTC 2006 |
I hereby wish to resign, effective immediately, from Grex staff.
There are a few main reasons for my decision:
(1) Good judgement and initiative are discouraged. Autocratic, zealous,
egotistical behaviours are favoured.
(2) Very little good work is done by Grex staff, because of the
repercussions and discentive caused by (1).
(3) Grex (and particularly the one or two staff who spoil staff) are
backward thinking - exaggerating their own personal importance, and
having no vision or passion for a better Grex.
(4) I find the sheep on staff who follow the zealots on staff (because
they have no conviction or vision of their own) pathetic.
I will now remove myself from groups staff and wheel.
|
nharmon
|
|
response 86 of 128:
|
Oct 2 03:02 UTC 2006 |
So who does that leave us with?
|
naftee
|
|
response 87 of 128:
|
Oct 2 03:05 UTC 2006 |
steVE.
This is indeed sad news. It sucks that you've left, spooked.
|
tod
|
|
response 88 of 128:
|
Oct 2 03:21 UTC 2006 |
Thanks for your time, spooked. I appreciate your and Mike's opinions and hope
both of your opinions continue to be voiced.
|
spooked
|
|
response 89 of 128:
|
Oct 2 03:25 UTC 2006 |
Just to leave no doubt about my wording in (1) by zealous (being a zealot)
I mean an extremist, a crank and a bigot (not to be confused with
enthusiastic and positive visionary intent).
|