Berkeley CSUA MOTD:Entry 46892
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/05/23 [General] UID:1000 Activity:popular
5/23    

2007/6/8-11 [Computer/SW/Security, Computer/SW/Unix] UID:46892 Activity:low
6/8     I was talking to an acquaintance who said that his workplace was
        slowly evolving to a stated goal of taking superuser privileges
        away from the sysadmins in an effort to maintain a strict CM
        and, I assume in some way, lower costs - possibly by hiring
        trained monkeys to deploy pre-built images. I am curious what the
        IT theories are behind this. Is this a crackpot method of system
        management or is there some established theory behind this? Has
        anyone else seen this happen at their work? What were the results?
        My kneejerk reaction is that this is a Very Bad Thing, but maybe
        there's something to it.
        \_ Depends.  Are they mostly Windows?  Mostly UNIX?  Who still has
           superuser access?  Are they highly responsive?  It can be made to
           work.  But unless it's driven by competent IT management, it could
           be LOTS o' PAIN
           \_ All UNIX. I assume the idea is that if a change needs to be
              made then it is rolled out from some central server
              somewhere and no admins ever touch the individual workstations
              for any reason except perhaps hardware failure.
        \_ CM?
           \_ configuration management
        \_ No, this is in keeping with Best Practices surrounding security,
           especially the notion of "least privelege" which is to say that
           especially the notion of "least privilege" which is to say that
           people should have the permissions they need to do their job
           and no more. I personally think this is fine, but only works
           after an organization reaches a certain maturity and size.
           You need at least enough people so that you can have an on-call
           page rotation for the "root" team and another one for the
           "admin" team. Email if you want to talk about this some more
           this is something I have thought about quite a bit. -ausman
           http://en.wikipedia.org/wiki/Principle_of_least_privilege
           http://www.csua.org/u/ivq (Forrester Research)
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/05/23 [General] UID:1000 Activity:popular
5/23    

You may also be interested in these entries...
2013/10/24-11/21 [Computer/Companies/Apple] UID:54747 Activity:nil
9/19    "No, A Severed Finger Will Not Be Able to Access a Stolen iPhone 5S"
        http://mashable.com/2013/09/15/severed-finger-iphone-5s
        I'm sure the Apple QA department has tested extensively that a severed
        finger will not be able to access a stolen iPhone 5S.
        \_ It doesn't matter whether or not a severed finger can be used.  It
           matters whether or not a robber thinks that a severed finger can be
	...
2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil
6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
	...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/9/20-11/7 [Computer/SW/Unix, Finance/Investment] UID:54482 Activity:nil
9/20    How do I change my shell? chsh says "Cannot change ID to root."
        \_ /usr/bin/chsh does not have the SUID permission set. Without
           being set, it does not successfully change a user's shell.
           Typical newbie sys admin (on soda)
           \_ Actually, it does: -rwsr-xr-x 1 root root 37552 Feb 15  2011 /usr/bin/chsh
	...
2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil
8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
	...
2012/5/8-6/4 [Computer/SW/Unix] UID:54383 Activity:nil
5/8     Hello everyone!  This is Josh Hawn, CSUA Tech VP for Spring 2012.
        About 2 weeks ago, someone brought to my attention that our script
        to periodically merge /etc/motd.public into /etc/motd wasn't
        running.  When I looked into it, the cron daemon was running, but
        there hadn't been any root activity in the log since April 7th.  I
        looked into it for a while, but got lost in other things I was
	...
2012/2/9-3/26 [Computer/SW/Security, Computer/SW/Unix] UID:54305 Activity:nil
2/9     Reminder: support for mail services has been deprecated for *several
        years*. Mail forwarding, specifically .forward mail forwarding, is
        officially supported and was never deprecated.
        \_ There is no .forward under ~root.  How do we mail root and how do
           we get responses?
           \_ root@csua.berkeley.edu is and always has been an alias.
	...
2011/9/14-12/28 [Computer/SW/Unix] UID:54172 Activity:nil
9/12    We've restored CSUA NFS to something vaguely resembling normal
        functionality -- plus, with some luck, we should now have something
        vaguely resembling normal uptime, too!  Ping root@csua.org if you
        notice any problems.  --jordan
--------------------------------------------------------------------------------
        \_  Oh, and http://irc.CSUA.Berkeley.EDU is online again.
	...
2011/6/5-8/27 [Computer/HW/Memory] UID:54127 Activity:nil
6/5     In an effort to stabilize our services, we'll be rebuilding parts of
        the CSUA infrastructure over the course of this summer.  To give us
        some wiggle room, I've temporarily decreased soda's allocated RAM from
        8GB to 2GB.  If you need to run something that requires large amounts
        of memory, please send mail to root@csua.org and we'll try to
        accommodate your request.  --jordan
	...
2011/4/27-7/30 [Computer/SW/Security, Computer/SW/Unix] UID:54096 Activity:nil
4/28    Will wall be fixed?   - jsl
        \_ What's wall?
           \_ An anachronism from a bygone era, when computers were hard to
              comeby, the dorms didn't have net, there was no airbears, and
              when phones didn't come standard with twitter or sms.
           \_ A non useful implementation of twitter.
	...
2011/5/19-7/30 [Computer/SW/Security] UID:54110 Activity:nil
5/19    Uh, is anyone still using this? Please mark here if you post and
        haven't added this yet. I'll start:
        \_ person k
        \_ ausman, I check in about once a week.
        \_ erikred, twice a week or so.
        \_ mehlhaff, I login when I actually own my home directory instead of
	...
2010/12/13-2011/2/19 [Computer/SW/Unix] UID:53978 Activity:nil
12/21   Help, all my files are owned by nobody! -ausman
        (yes I emailed root)
        \_ Things should be fine now. As usual, the NFS server caused a cascade
           of errors.
	...
Cache (2508 bytes)
en.wikipedia.org/wiki/Principle_of_least_privilege
The principle of least privilege is also known as the principle of least authority (POLA), an alternative term coined by those who consider authority be a more precise term than privilege to represent "ability to access" in the true spirit of this concept. Specifically, authority represents all effects that a subject can directly or indirectly cause in a system, as opposed to permission which represents the effects that can be directly caused in a single operation. In modern operating systems like Windows there is no security enforcement for code running in kernel mode and therefore such code always runs with maximum privileges. The principle of least privilege therefore demands the use of a user mode solutions when given the choice between a kernel mode and user mode solution if the two solutions provide the same results. When code is limited in the scope of changes it can make to a system, it is easier to test its possible actions and interactions with other applications. In practice for example, applications running with restricted rights will not have access to perform operations that could crash a machine, or adversely affect other applications running on the same system. When code is limited in the system-wide actions it may perform, vulnerabilities in one application cannot be used to exploit the rest of the machine. For example, Microsoft states "Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits, spyware, and undetectable viruses." In general, the fewer privileges an application requires the easier it is to deploy within a larger environment. This usually results from the first two benefits, applications that install device drivers or require elevated security privileges typically have addition steps involved in their deployment, for example on Windows a solution with no device drivers can be run directly with no installation, while device drivers must be installed separately using the Windows installer service in order to grant the driver elevated privileges. Peter J Denning is referred as the original source, even though it was described under different names by many contemporary papers, like The protection of information in computer systems, by Saltzer and Schroeder. The original formulation from Saltzer and Schroeder: Every program and every user of the system should operate using the least set of privileges necessary to complete the job.
Cache (1488 bytes)
www.csua.org/u/ivq -> www.forrester.com/Research/Document/Excerpt/0,7211,34386,00.html
Natalie Lambert This is a document excerptEXECUTIVE SUMMARY IT departments are increasingly interested in role-based access control (RBAC) models, especially the groups tasked with security or compliance. However, adoption lags because the RBAC model remains poorly understood. Forrester recommends business views and compliance considerations drive role development from the top down. Focus on a relatively few higher-level roles, organized hierarchically to keep the model stable. In most cases, roles will not establish privileges spanning the enterprise, instead they will have an application-level context. Enterprisewide value is achievable by coordinating RBAC and user management with a mature identity management infrastructure. TABLE OF CONTENTS NOTES & RESOURCES item It's Simply About Simplicity item But RBAC Turns Out To Be Anything But Simple item Approaching The RBAC Project item Role Engineering: Constructing The Model recommendations item RBAC Requires Investment And Patience item Keep The Focus Of RBAC On The Business item Tap The Consultants With Expertise item Identity Management Builds RBAC Bridges item Supplemental Material Forrester has interviewed several vendors, systems integrators, and end user companies for this report, and has reviewed dozens of client inquiries on this topic. item Directory Service and Security Strengthen Their Ties January 4, 2002, IdeaByte Find Documents In Related Categories This document falls under the following categories.