LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 09-18-2013, 01:04 PM   #1
Ook
Member
 
Registered: Apr 2004
Location: Hell, Arizona
Distribution: Slackware 14.1
Posts: 326

Rep: Reputation: 25
Giving root access to scanning apps - bad idea?


We have spiceworks in our organization, and today someone put the root username/password into spiceworks so it can scan our linux boxes. This strikes me as an extremely bad idea. I'm favoring creating an account that has read-only access to the box, and, and letting spiceworks use that instead.

Anyone care to comment on this? Good idea, bad idea?
 
Old 09-18-2013, 01:24 PM   #2
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Gentoo, Slackware
Posts: 14,903
Blog Entries: 2

Rep: Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812
I don't quite get what Spiceworks is selling (they are pretty ambiguous on their website), but I would think that giving some random IT reseller root access (even if it is "only" read-access) to all your machines is a very bad idea.
For what exactly do you use Spiceworks?
 
Old 09-18-2013, 01:37 PM   #3
Ook
Member
 
Registered: Apr 2004
Location: Hell, Arizona
Distribution: Slackware 14.1
Posts: 326

Original Poster
Rep: Reputation: 25
Quote:
Originally Posted by TobiSGD View Post
I don't quite get what Spiceworks is selling (they are pretty ambiguous on their website), but I would think that giving some random IT reseller root access (even if it is "only" read-access) to all your machines is a very bad idea.
For what exactly do you use Spiceworks?
Disclaimer - it wasn't my idea to use it :-)

Spice works is an app that runs on a server on our network that is (or at least wants to be) your do-everything-monitor-everything for IT people. We use it for it's help-desk functions. It also watches your network, looks for software that doesn't belong on your Windows boxes, notifies us when warranties expire or printer toner carts get low, etc., etc. The help-desk part of it is rather nice, btw.

I found out today it also scans the linux boxes, and I'm not sure what all it is looking for but one of the things it does is tell you when a partition is getting low on space. Ubuntu makes a small boot partition, and after 8-10 updates this partition fills up with old kernels and runs out of space and when this happens, updates will fail. So anyhow Spiceworks sent me an email telling me the partition was filling up. OK, this was handy, but I learned the hard way to keep an eye on this after spending freakin' HOURS trying to figure out why I could not update one of our boxes. Changing over to Slackware fixed the problem btw.... :-)

So giving this thing root access just seems to me to be to be an *extremely* bad idea.

Maybe I should ask if there is anyone that would be ok with doing this? The more I think about it, the less I like it. I can see it now - I come in one morning, our app server is dead because Spiceworks found a file it didn't like and deleted it - (we don't need any vmlinuz files in /boot, do we?).
 
Old 09-18-2013, 01:51 PM   #4
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Gentoo, Slackware
Posts: 14,903
Blog Entries: 2

Rep: Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812Reputation: 3812
There may also be legal consequences, for example if they have access to customer data or something similar. I personally would just use one of the open source monitor systems or, for simple purposes like checking diskspace, write custom scripts.

I am a little irritated about the
Quote:
looks for software that doesn't belong on your Windows boxes
Do your users work with root permission (or can easily get root permissions), so that they can install software?

Last edited by TobiSGD; 09-18-2013 at 05:54 PM.
 
Old 09-18-2013, 02:11 PM   #5
saxa
Member
 
Registered: Aug 2004
Posts: 253

Rep: Reputation: 9
Quote:
Originally Posted by Ook View Post
Disclaimer - it wasn't my idea to use it :-)
Maybe I should ask if there is anyone that would be ok with doing this? The more I think about it, the less I like it. I can see it now - I come in one morning, our app server is dead because Spiceworks found a file it didn't like and deleted it - (we don't need any vmlinuz files in /boot, do we?).
If you will never reboot then no, but you can have your vmlinuz compressed kernel file wherever you want, enough you tell your lilo where it is.
 
Old 09-18-2013, 03:28 PM   #6
273
Senior Member
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid + various in VMs.
Posts: 2,866

Rep: Reputation: 633Reputation: 633Reputation: 633Reputation: 633Reputation: 633Reputation: 633
I think everything should be set to be set up using the principle of least-privilege. So, if Spiceworks will not (or, more importantly, should not) be making any changes to your Linux machines then it should certainly not run with root privileges, ever.
First principals of security and, far as I was aware, one of the first things an auditor would check.
 
Old 09-18-2013, 08:44 PM   #7
Richard Cranium
Senior Member
 
Registered: Apr 2009
Location: Carrollton, Texas
Distribution: Slackware64 14.1
Posts: 1,323

Rep: Reputation: 353Reputation: 353Reputation: 353Reputation: 353
You should be able to configure Spiceworks to access the net-snmp daemon that you might be running to get partition usage statistics.

If you can, it doesn't need any access at all (other than the snmp user info which can be totally unrelated to any users on the box).
 
Old 09-18-2013, 09:15 PM   #8
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,010

Rep: Reputation: 352Reputation: 352Reputation: 352Reputation: 352
hmm i agree with the sentiment, if it doesn't need to make changes then root access isn't needed and is indeed a bad idea
however i would say this, no scanning app in the world, no matter how advanced is a good substitute for a well trained IT staff, a well written acceptable use policy and employees that can be trusted to obey the policy.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
giving non-root users access to sound in 12.2 zipoh Slackware - Installation 2 03-24-2009 03:34 PM
Why is compiling as root a bad idea? vxc69 Linux - Software 3 10-30-2006 04:47 PM
[SOLVED] LINUX newbie: Was using root password in this case a bad idea? MBA Whore Linux - Security 4 05-20-2006 03:52 PM
Running KPPP as Root = Bad Idea? Hawklad Debian 8 09-23-2004 06:57 PM
About giving ppl root/wheel access unSpawn Linux - General 1 05-20-2001 05:52 PM


All times are GMT -5. The time now is 03:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration