well said! I really believe that working on these management, leadership
and even marketing skills are core competencies that we all need to focus on
in the future.
Bob
> -----Original Message-----
> From: Scott Mackillip [SMTP:mmackill@aud.alcatel.com
> Sent: Friday, January 28, 2000 12:08 PM
> To: Aiello, Bob (Exchange)
> Cc: Greg Dickie; EXTERN Chapman Roy (WA-Consultants; K5/ESQ1); ClearCase
> User Group
> Subject: Re: AW: [cciug] vobadm vs root
>
> Yes, the relationship is the ultimate thing to keep an eye on.
>
> The spirit of my use of the word political is more in the sense of a
> diplomat.
> I want to be able to get my job done, and at the same time, I don't want
> to
> incur any enemies -- either among the management staff or the sysadmins.
> Also,
> as a consultant, I want to be able to give the client the biggest bang for
> their buck. In my mind, that means getting the job done right, the first
> time,
> and in a timely manner. Having to track down someone else to participate
> in
> this is sometimes a disadvantage.
>
>
> "Aiello, Bob (Exchange)" wrote:
>
> > ah. There lies the great challenge for most of us hackno-geeks. We think
> of
> > these things as "political" - meaning bad or unimportant.
> >
> > The real issue is relationships. As technology professionals all we have
> is
> > knowledge and relationships. This is where management and leadership
> skills
> > are so important. Clearcase professionals need to be Quality Leaders! We
> all
> > need to pick our battles. Sometimes we decide it's not worth destroying
> a
> > relationship and at other times we choose the "hill to die on". :-)
> >
> > What I am trying to say is that there is no easy answer to this
> > issue. I prefer to be part of the sysadmin team when possible. this
> keeps me
> > in the loop and helps me maintain my skills.
> >
> > Regards.
> > Bob
> >
> > > -----Original Message-----
> > > From: Scott Mackillip [SMTP:mmackill@aud.alcatel.com
> > > Sent: Friday, January 28, 2000 10:41 AM
> > > To: Greg Dickie
> > > Cc: EXTERN Chapman Roy (WA-Consultants; K5/ESQ1); ClearCase User
> Group
> > > Subject: Re: AW: [cciug] vobadm vs root
> > >
> > >
> > > I concur 100%. The difficulty I am facing in my current environment is
> > > that
> > > politically there are several distinct groups that have done the
> ClearCase
> > > admin
> > > independently for some time now. My group (a software support group,
> not
> > > system
> > > admins) is trying to consolidate the CC admin efforts -- to augment
> the
> > > current CC
> > > administrative abilities. Up till now, the CC admins have not had root
> > > access of
> > > any kind. It seems to be functioning fine for all the distinct groups.
> > >
> > > With one central admin point, it would be beneficial for them to have
> > > access to
> > > some commands as root, to facilitate the CC admin. All this is
> understood
> > > by the
> > > folks on this list.
> > >
> > > The real problem I am facing is political, so to arm myself with "best
> > > practices"
> > > and real-world experience will definitely form the basis of my
> > > argument/proposal to
> > > management for the sudo access.
> > >
> > >
> > > Greg Dickie wrote:
> > >
> > > > A good relationship between the CC admin and the sysadmins is
> absolutely
> > > > essential (in my case, I lead the sysadmins). For me the idea behind
> > > sudo
> > > > is not too block access to root since I'm sure some malicious hacker
> > > would
> > > > be able to circumvent it, the idea is to make it more difficult to
> screw
> > > > up since you don't need to have a root shell open all the time. As I
> > > said,
> > > > the sysadmins here work for me and I hardly ever have a root shell
> open,
> > > > much safer.
> > > >
> > > > Greg
> > > >
> > > > On Fri, 28 Jan 2000, Scott Mackillip wrote:
> > > >
> > > > > Date: Fri, 28 Jan 2000 08:21:08 -0600
> > > > > From: Scott Mackillip <mmackill@aud.alcatel.com>
> > > > > To: "EXTERN Chapman Roy (WA-Consultants; K5/ESQ1)"
> > > <Roy.Chapman@de.bosch.com>,
> > > > ClearCase User Group <cciug@Rational.Com>
> > > > > Subject: Re: AW: [cciug] vobadm vs root
> > > > >
> > > > >
> > > > > My only question now is: once you give me sudo to cleartool, can't
> I
> > > run a
> > > > > shell-out from the cleartool and have a shell running as root?
> > > > >
> > > > > does that not defeat the whole idea of sudo?
> > > > >
> > > > > If this is the case, and there really is a limited number of UNIX
> > > commands for
> > > > > troubleshooting clearcase as root, what is that limited number of
> > > commands?
> > > > >
> > > > > I apologize if I'm belaboring the point, but I feel that a strong
> > > relationship
> > > > > between the Sys Admin team and the ClearCase Admin team is
> necessary
> > > for a
> > > > > cohesive and cooperative work environment. I don't want to have to
> run
> > > to the
> > > > > Sys Admin each time I need to troubelshoot a user's problem, or
> > > restart
> > > > > clearcase. In short, I don't want to pester the Sys Admins to the
> > > point that
> > > > > they roll their eyes and inwardly (or outwardly!) groan each time
> they
> > > see me.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Scott
> > > > >
> > > > > "EXTERN Chapman Roy (WA-Consultants; K5/ESQ1)" wrote:
> > > > >
> > > > > > I disagree, it is not pointless trying to restrict root.
> Suggest
> > > you work
> > > > > > for a Bank and express that opinion.
> > > > > >
> > > > > > I do agree with you though that a small number of Unix commands
> > > could be
> > > > > > used to hack the system. But, if we are sensible about this, we
> > > don't need
> > > > > > these command as a Clearcase Administrator. I would suggest
> that
> > > sudo
> > > > > > access to cleartool and "sh /etc/rc2.d/S77atria" would suffice.
> > > Yes, I am
> > > > > > sure that additional commands are required on a daily basis, but
> > > that's what
> > > > > > we have Unix Administrators for. A root shell is a dangerous
> > > weapon, I
> > > > > > doubt that there is a user on this list who has been given root
> > > access in
> > > > > > the past and not accidentally rebooted a system or removed
> something
> > > they
> > > > > > shouldn't of. And if you haven't, give it time. Sudo makes
> access
> > > to root
> > > > > > commands a pain, in the same way that keeping a loaded weapon in
> a
> > > safe
> > > > > > makes access more difficult.
> > > > > >
> > > > > > Roy Chapman
> > > > > > External Consultant
> > > > > >
> > > > > > Robert Bosch GmbH * (00 49) 0711/811-31795 / GSM (00 49)
> > > > > > 0173/4887139
> > > > > > K5/ESQ * (00 49) 0711/811-31800
> > > > > > Postfach 20 02 40 * mailto:roy.chapman@de.bosch.com
> > > > > > D-70442 Stuttgart
> > > > > >
> > > > > > > ----------
> > > > > > > Von: Christian Goetze[SMTP:cg@digisle.net
> > > > > > > Gesendet: Donnerstag, 27. Januar 2000 20:12
> > > > > > > An: Scott Mackillip
> > > > > > > Cc: ClearCase User Group
> > > > > > > Betreff: Re: [cciug] vobadm vs root
> > > > > > >
> > > > > > >
> > > > > > > I think restricting sudo is silly - since it is trivial to
> bypass
> > > any
> > > > > > > restrictions if sudo is to have any use at all (e.g. one of
> the
> > > most
> > > > > > > common commands I run as sudo is chmod, and once you give me
> > > chmod...).
> > > > > > >
> > > > > > > Since root exploits for clearcase machines are available and
> well
> > > known
> > > > > > > among crackers, it is pointless to attempt to protect root.
> What
> > > you
> > > > > > > should do instead is to reduce the risk of accidental or
> trivial
> > > errors,
> > > > > > > and in addition gain the benefit of logging and the use of
> your
> > > own
> > > > > > > password. That's what sudo is really good for...
> > > > > > >
> > > > > > > If you are in a sensitive environment, you need to set up
> > > different
> > > > > > > security procedures that take the vulnerability of Clearcase
> > > machines into
> > > > > > > account. I use the following policy:
> > > > > > >
> > > > > > > Sensitive machines treat ClearCase machines like external
> > > Machines (no
> > > > > > > trust).
> > > > > > >
> > > > > > > ClearCase machines trust all internal machines (no hassles
> with
> > > > > > > distributed builds etc)
> > > > > > >
> > > > > > > Nobody trusts external machines (duh).
> > > > > > >
> > > > > > > ClearCase machines should be used exclusivly for development
> and
> > > > > > > testing on non-sensitive data sets. Consider that anyone who
> > > obtains
> > > > > > > a normal login on a Clearcase machine already has the "loot"
> > > (i.e.
> > > > > > > your source code). Protecting root in addition to that adds
> > > nothing.
> > > > > > >
> > > > > > > Special attention should be given to the possibility of
> Trojan
> > > horses
> > > > > > > being migrated from the relativly insecure development
> network
> > > into
> > > > > > > the secure production network. Use code review and
> checksums...
> > > > > > >
> > > > > > > --
> > > > > > > cg
> > > > > > >
> > > > > > >
> > > > > > > On Thu, 27 Jan 2000, Scott Mackillip wrote:
> > > > > > >
> > > > > > > >
> > > > > > > > All,
> > > > > > > >
> > > > > > > > I have been following the conversation closely, as I don't
> have
> > > root
> > > > > > > > access at my current site. I am in the process of putting
> > > together a
> > > > > > > > proposal for sudo access for the commands that will be
> needed,
> > > and have
> > > > > > > > a couple of questions for you all.
> > > > > > > >
> > > > > > > > Does anyone have a list of the commands that would require
> root
> > > access?
> > > > > > > > (I can generate the list, but if someone has that already
> done,
> > > why
> > > > > > > > re-invent the wheel?)
> > > > > > > >
> > > > > > > > Is it easier to just ask for sudo for cleartool, and then
> shell
> > > out to
> > > > > > > > accomplish the required task as root? Will sudo log this
> > > behavior so the
> > > > > > > > system administrators have a log/trail should something go
> awry?
> > > > > > > >
> > > > > > > > Or would it be better to just ask for sudo for the commands
> > > needed one
> > > > > > > > at a time?
> > > > > > > >
> > > > > > > > What about troubleshooting a user's view? How do you go
> about
> > > getting
> > > > > > > > access to su to another user without knowing their password?
> > > > > > > >
> > > > > > > > Thanks for any help in this!
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Scott MacKillip
> > > > > > > >
> > > > > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - -
> > > > > > > > with
> body
> > > > > > > > can also
> > > unsubscribe
> > > > > > > > customers-only
> website
> > > > > > > >
> > > http://clearcase.rational.com/cciug/mailing_list.html
> > > > > > > >
> > > > > > >
> > > > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> -
> > > > > > > with
> body
> > > > > > > can also
> > > unsubscribe
> > > > > > > customers-only
> website
> > > > > > >
> http://clearcase.rational.com/cciug/mailing_list.html
> > > > > > >
> > > > >
> > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > > > >
> > > > > can also
> > > unsubscribe
> > > > >
> > > > > http://clearcase.rational.com/cciug/mailing_list.html
> > > > >
> > > >
> > > >
> ---------------------------------------------------------------------
> > > > Greg Dickie
> > > > Just A Guy*
> > > > *from discreet (the logic is gone)
> > > > Montreal
> > > > (514) 954-7171
> > > > greg@discreet.com
> > >
> > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > >
> > > can also
> unsubscribe
> > >
> > > http://clearcase.rational.com/cciug/mailing_list.html
> >
> > ***********************************************************************
> > Bear Stearns is not responsible for any recommendation, solicitation,
> > offer or agreement or any information about any transaction, customer
> > account or account activity contained in this communication.
> > ***********************************************************************
***********************************************************************
Bear Stearns is not responsible for any recommendation, solicitation,
offer or agreement or any information about any transaction, customer
account or account activity contained in this communication.
***********************************************************************
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
This archive was generated by hypermail 2b29 : Sun May 06 2001 - 00:22:40 EDT