SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Slackware 14.2 soon to be Slackware 15
Posts: 699
Rep:
Giving root access to scanning apps - bad idea?
We have spiceworks in our organization, and today someone put the root username/password into spiceworks so it can scan our linux boxes. This strikes me as an extremely bad idea. I'm favoring creating an account that has read-only access to the box, and, and letting spiceworks use that instead.
Anyone care to comment on this? Good idea, bad idea?
I don't quite get what Spiceworks is selling (they are pretty ambiguous on their website), but I would think that giving some random IT reseller root access (even if it is "only" read-access) to all your machines is a very bad idea.
For what exactly do you use Spiceworks?
Distribution: Slackware 14.2 soon to be Slackware 15
Posts: 699
Original Poster
Rep:
Quote:
Originally Posted by TobiSGD
I don't quite get what Spiceworks is selling (they are pretty ambiguous on their website), but I would think that giving some random IT reseller root access (even if it is "only" read-access) to all your machines is a very bad idea.
For what exactly do you use Spiceworks?
Disclaimer - it wasn't my idea to use it :-)
Spice works is an app that runs on a server on our network that is (or at least wants to be) your do-everything-monitor-everything for IT people. We use it for it's help-desk functions. It also watches your network, looks for software that doesn't belong on your Windows boxes, notifies us when warranties expire or printer toner carts get low, etc., etc. The help-desk part of it is rather nice, btw.
I found out today it also scans the linux boxes, and I'm not sure what all it is looking for but one of the things it does is tell you when a partition is getting low on space. Ubuntu makes a small boot partition, and after 8-10 updates this partition fills up with old kernels and runs out of space and when this happens, updates will fail. So anyhow Spiceworks sent me an email telling me the partition was filling up. OK, this was handy, but I learned the hard way to keep an eye on this after spending freakin' HOURS trying to figure out why I could not update one of our boxes. Changing over to Slackware fixed the problem btw.... :-)
So giving this thing root access just seems to me to be to be an *extremely* bad idea.
Maybe I should ask if there is anyone that would be ok with doing this? The more I think about it, the less I like it. I can see it now - I come in one morning, our app server is dead because Spiceworks found a file it didn't like and deleted it - (we don't need any vmlinuz files in /boot, do we?).
There may also be legal consequences, for example if they have access to customer data or something similar. I personally would just use one of the open source monitor systems or, for simple purposes like checking diskspace, write custom scripts.
I am a little irritated about the
Quote:
looks for software that doesn't belong on your Windows boxes
Do your users work with root permission (or can easily get root permissions), so that they can install software?
Disclaimer - it wasn't my idea to use it :-)
Maybe I should ask if there is anyone that would be ok with doing this? The more I think about it, the less I like it. I can see it now - I come in one morning, our app server is dead because Spiceworks found a file it didn't like and deleted it - (we don't need any vmlinuz files in /boot, do we?).
If you will never reboot then no, but you can have your vmlinuz compressed kernel file wherever you want, enough you tell your lilo where it is.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I think everything should be set to be set up using the principle of least-privilege. So, if Spiceworks will not (or, more importantly, should not) be making any changes to your Linux machines then it should certainly not run with root privileges, ever.
First principals of security and, far as I was aware, one of the first things an auditor would check.
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233
Rep:
hmm i agree with the sentiment, if it doesn't need to make changes then root access isn't needed and is indeed a bad idea
however i would say this, no scanning app in the world, no matter how advanced is a good substitute for a well trained IT staff, a well written acceptable use policy and employees that can be trusted to obey the policy.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.