Question:

In a network where multiple people in multiple countries need root access to multiple machines, what is the best way to handle policy governing this?

My main concern is that since I cannot control who a user in another country who may decide to give out a root password to all his buddies, or perhaps if he quits, he'll do so. etc, etc.

Bottom line is, when so many entities need root, what would be the best way to control security?

Thank you for your wisodom.

My first thought was to use sudo. You give user accounts the ability to do things with root powers without them actually becoming root. That way, you don't need to give out the root password and you can see which users carried out which tasks.

Aha! Joy joy!

So all users who 'sudo' to root will be logged (I assume the logfile will be a bash history file stored on the real root directory somewhere?) Because I'll eventually need to keep tabs on these rascals to ensure that they are not doing something they should not be.

Any other measure you can recommend?

How about social policy? Aside from giving the programmers a directive to change thier password ever few days to something like "IOsaq92rk0e%^$sw232pwerk" , any other suggestions?

Once again, that was BRILLIANT!

Thank you! m( )m

Ok...Answered my own question on that one. (The logfile portion)

I rtfm'ed on sudo.

NIIICE. Me likey.

But the question of mananging these folks so that they get in the secure mindest is another matter.

With sudo, you can specify what command can a specific user run, so they can't even do what they are not supposed to do. For example, you can grant a user only with the privilege to reboot/shutdown the machine, and to edit certain files.

And beside sudo, I think there is another system called SELinux(check Fedora Core or Redhat website for this) which can also set privileges to files, etc to a greater extent. I don't use this since it is more complicated than sudo...

Hope this helps.

Yokatta!
Arigatou ne! m( )m