Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UNIX Systems Control Politics?

Cliff posted more than 9 years ago | from the got-root dept.

Security 133

pariahdecss asks: "I have just been hired as the webmaster for local college. The website for which I am responsible is hosted 'in-house' and controlled by the college. The server box does not have any other production systems on it besides my website. The website that I have inherited is driven by an amalgam of Embedded Perl and PostgreSQL. Now to the politics...the UNIX Administrator does not want to give me root access to this box. What have others done when faced with this type of systems politics? Is it even possible to function as a full scale webmaster without root access to the box you serve from?"

Sorry! There are no comments related to the filter you selected.

Webmaster needs root acces? (4, Informative)

at2000 (715252) | more than 9 years ago | (#10880753)

I don't think anyone would agree with you.

Which of Perl and Postgresql needs root? If webmasters need root access, then who else don't need?

Re:Webmaster needs root acces? (3, Interesting)

harikiri (211017) | more than 9 years ago | (#10886459)

Reminds me of an advertisment I saw just a few days ago. The magazine is literally sitting next to me, so let me just grab it to refresh my memory...

...ahh here's the quote:

"How many Developers run as Administrator on their development box? Our research shows 95% or more - despite this being a known practice which introduces deployment and/or security flaws in applications downstream!"

Either way, it's an absolute PITA to do development without the freedom provided by having total access (installing third party packages/software, modifying permissions, configuring services). You can install applications like Sudo [courtesan.com] to grant elevated privileges on a case-by-case basis, but you have to be serious about it because there's a lot of configuration you have to do if you want to do it properly.

Sidenote: My colleague who used to work for a bank told me a tale where he was not allowed to see what cron jobs were running on a system, but for whatever reason - had been given access to use /bin/cat with sudo. At one stage he "cat" the /var/spool/cron/tabs/xyz (or whatever the path is), in order to find out why some process was hogging the system resources. When he offered a suggestion on how to improve it - the admin looked at him oddly and was like "how do you know what cron jobs are running!?"

Re:Webmaster needs root acces? (1)

BJH (11355) | more than 9 years ago | (#10886779)

Jesus Christ, what asshat admin gave him sudo access to /bin/cat?!

With just that one command, it'd be piss-easy to take over the box (if he's evil) or screw it up terminally (if he's incompetent).

Might as well not bother with sudo at all...

Yes (4, Insightful)

metalhed77 (250273) | more than 9 years ago | (#10880757)

It's entirely possible to function without root. Albeit to a limited extent. You have to ask your admin to install / upgrade software for you, but do it enough and maybe he'll get sick of it and give you root. Next?

Re:Yes (4, Interesting)

NemoX (630771) | more than 9 years ago | (#10881869)

Or, do it enough and piss him off so that a policy will be put in place to start a versioning system with installation time tables. I have seen this backfire in favor of the admin before.

Webmasters are more lined up with programmers these days (think maybe .jsp, .aspx, etc.). And I can guarantee you that those programmers don't have root access to the web boxes in an environment that is properly set up. Why? Because they are programmers, not administrators...just as a webmaster is exactly that, and not an administrator. If you want root, you will need to prove that you are a capable UNIX administrator. Best thing to do if you want root, is to be his understudy and learn from him. Then, in time, when you are knowledgeable enough, you will get root. I doubt that you already have that knowledge since webmasters get paid much, much less that UNIX admins, so if you had it you would be a UNIX admin somewhere that would be paying you a heck of a lot more. Until then, sit back and enjoy the ride.

Re:Yes, Yes YES! (1, Funny)

Anonymous Coward | more than 9 years ago | (#10888043)

And when the understudy has thoroughly finished polishing the mighty admin's scepter, and it is glistening with saliva, then, the understudy gets their just reward.

Re:Yes (4, Informative)

Geoffreyerffoeg (729040) | more than 9 years ago | (#10881877)

It's entirely possible to function without root.

I webmaster the site for our state's math club chapter, which uses ASP/Access for online registration (not my choice - this is an inherited site, and our host is on NT). All I've got is FTP. I can function as well as I need. Exactly what do you need even non-root shell access for? All you should need to do is edit files and change stuff on the database...and the database should let you use a local client.

What exactly is a "full-scale webmaster" other than a system administrator also?

Re:Yes (0)

Anonymous Coward | more than 9 years ago | (#10882389)

Almost all software can be installed in your local account instead of the system directories.

Re:Yes (4, Informative)

rtaylor (70602) | more than 9 years ago | (#10882589)


Albeit to a limited extent. You have to ask your admin to install / upgrade software for you, but


Heck, It's PostgreSQL, Perl and Apache. None of those needs to run as root, be owned by root, etc.

Just get a few gigs of diskspace in your home directory and go from there. Since this person can be trusted as root, surely they know how to compile software to places other than /usr/local (or default path of choice).

Re:Yes (2, Insightful)

yasth (203461) | more than 9 years ago | (#10883251)

A lot of people like to use special user accounts for apache/db daemons, esp. in production environments. (Though there is some debate about this).

Oh well doesn't matter anyways. The proper way to handle such things is to make requests on paper, and with deadlines, you will either get what you need, or you will get root. (Truthfully if someones wants to maintain a server for me, handle backups, and manage security updates, well that isn't something I would complain about unless they didn't actually do it)

Well-known ports (1)

tepples (727027) | more than 9 years ago | (#10884523)

Heck, It's PostgreSQL, Perl and Apache. None of those needs to run as root, be owned by root, etc.

How can Apache listen on port 80 without setuid root? Do modern systems that follow the Single UNIX spec to some extent have such fine-grained privileges on the network stack that the admin can specify that user apache may bind a socket to TCP port 80 and listen on it?

Hate to answer myself, but iptables. (1)

tepples (727027) | more than 9 years ago | (#10884610)

After a bit more reading, others seem to suggest [slashdot.org] that the answer is Affirmative. It appears that on some network stacks, the system administrator can use iptables or the equivalent in other systems to forward port 80 to a port owned by a less privileged process in a chroot jail.

But do Solaris and the BSDs support such local port forwarding? I'm at a loss for Google keywords.

Re:Yes (1)

metalhed77 (250273) | more than 9 years ago | (#10887738)

True, but it's really a bitch sometimes installing software (such as CMFs) as non-root. Documentation / support is often times spotty, and I'd rather do it as root or get root to do it for me.

Re:Yes (0)

Anonymous Coward | more than 9 years ago | (#10884944)

Oh that's a good idea: cause as many problems as possible for the admin who is just trying to maintain security just because you are pissy that he wouldn't give you root. Grow up.

Ego (1, Flamebait)

nwmakel (816545) | more than 9 years ago | (#10880758)

I had the exact same problem. I said good bye and used a private box. Not much you can do if the asshole in charge is a power tripping ego.

Re:Ego (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10882397)

It's not a matter of ego at all. I don't give out root to the boxes I administer, although I've been asked many times. Why? Because when something goes wrong, I'm the one that's going to take it in the ass, not them. Blaming the other guy won't be an acceptable excuse.

The old excuse of installing software is also bullshit. You can install almost any program in your local directory.

Re:Ego (0)

Anonymous Coward | more than 9 years ago | (#10886845)

Twat.

what do u need root access for? (1)

SkunkPussy (85271) | more than 9 years ago | (#10880764)

and can you use sudo?

Re:what do u need root access for? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10882381)

You don't really know what you are talking about, are you, you british fag?

Why do you need root? (4, Funny)

mjpaci (33725) | more than 9 years ago | (#10880777)

Please, let us know why you need root and we'll then tell you 1) how to attain it using politics or 2) that you're being a baby.

--Mike

sudo (5, Informative)

xmas2003 (739875) | more than 9 years ago | (#10880783)

sudo [www.sudo.ws] is a great tool to control and log root access - if the UNIX Admins aren't using this already, they should be.

So document exactly what you REALLY need sudo access for, and *if* there is a business case justification, then they should be able to grant this on a per command basis. There should be no reason for a webmaster to "need" the root password.

Re:sudo (1)

seann (307009) | more than 9 years ago | (#10881251)

sudo sh

Re:sudo (1)

brunson (91995) | more than 9 years ago | (#10881460)

You're never configured sudo, have you? Or if you have, you've never configured it right.

Re:sudo (2, Interesting)

yarbo (626329) | more than 9 years ago | (#10882320)

sudo vim :sh I'd expect a text editor in the list of available commands...

Re:sudo (1)

cortana (588495) | more than 9 years ago | (#10882559)

rvim?

Re:sudo (0)

Anonymous Coward | more than 9 years ago | (#10882729)

Really? huh, w(hy)tf would you need to run a text editor with sudo? The most a webmaster should need is 'apachectl restart' (if that)

Re:sudo (1)

Breakfast Pants (323698) | more than 9 years ago | (#10883669)

Why would you expect a text editor. If you could run a text editor as root you could modify any files you don't have permissions to. The editor doesn't need to be run as root you just need permission bits set on the files that you need access to. Giving you root access to an editor is pretty unnecessary in any circumstances.

Re:sudo (1)

AhBeeDoi (686955) | more than 9 years ago | (#10883764)

And editors that allow the user to open a shell, like vim, are tantamount to giving root access to the user.

Re:sudo (1)

batzo (168271) | more than 9 years ago | (#10884724)

sudo vim :sh I'd expect a text editor in the list of available commands...

sudo vim -Z cures this little problem....

No (4, Insightful)

cookiepus (154655) | more than 9 years ago | (#10880785)

You're the one trying to do politics. Your domain as webmaster is html files, scripts, etc. You don't need to have root pass to upload files. Everyone who uses someone else's system for hosting is a webmaster w/o root access to the server. The two things are unrelated.

As your sysop to do things whenever you don't have access to do something (set up a db?) If this happens often enough he'll reconsider the policy, but most likely you will be just fine w. the privileges you have.

Re:No (0)

Anonymous Coward | more than 9 years ago | (#10882405)

don't have access to do something (set up a db?)

Setting up a database is a priviledge stored in the database software. This priviledge can be granted seperately.

SUDO (4, Informative)

missing000 (602285) | more than 9 years ago | (#10880794)

I'd just ask for sudo [courtesan.com] access to the resources I needed. Also, you never said why he denied access. Does the system have trust relationships with other systems he want's you out of?

Full administration (1)

fok (449027) | more than 9 years ago | (#10880795)

Full administration with no root passwd is possible only using sudo...

That would be my position... (1, Informative)

Anonymous Coward | more than 9 years ago | (#10880817)

See it from his point of view, most people are morons. I would never give root to someone who could well start running all kinds of crap, it's me that gets it in the ass when some dolt starts 'sharing' copyright material.

Get to know the guy, there's a whole load of politics that is required in a work enviroment and can be discarded if you trust people not to shaft you. It cuts both ways but you will get your root if you're not a liability and it makes his job easier.

Government Systems (3, Interesting)

digitalchinky (650880) | more than 9 years ago | (#10880824)

For the first several years working for DSD there was no way in hell they were going to give me root access to anything, my data and home directories could be measured in the tens of gigabytes just to overcome these limitations. That was solaris, unfortunately (in my opinion) to get anywhere near the same functionality (as root access) you'll spend a huge amount of time recompiling applications, tweaking config files to do things that probably nobody ever intended, along with being on your supervisors shit list for blowing out disk space, audit trails, and... well... just because...

Not easy.

No. (3, Funny)

epsalon (518482) | more than 9 years ago | (#10880833)

Diebold systems control politics.

Oh, you meant politics of UNIX system control? Never mind.

You just need 2 environments (5, Insightful)

Gothmolly (148874) | more than 9 years ago | (#10880872)

Test, and Production. Build a linux box, give yourself root, do all your play work there. When its time to make real changes, in 1 shot, ask the SA to do whatever you need (upgrade PHP to version foo, edit config file bar, etc). They're more likely to do it if you don't nickel and dime them every day for little stuff. Plus, you have the added bonus of not fscking up your main, real, this-is-your-paycheck website doing test work.

root for a webmaster? (0)

Anonymous Coward | more than 9 years ago | (#10880886)

root for a webmaster?
*rolls over laughing*
Please, if you needed root for a webmaster, on a private box, dumb clients(but politically savvy ones) would get root on shared hosting boxes, or leave(and they are usually politically savvy enough that the owner won't let them leave).
Why do you really need root for?
The prior admin had a ftp for every directory, and you weren't using mysql-based account storage, so you need to submit a request for all of them?

Thank you, you made my day.

Inherit the whirlwind (3, Interesting)

AndroidCat (229562) | more than 9 years ago | (#10880920)

You don't say anything about what else you inherited along with the website: Was the previous web admin a jerk? Was the server a pustulent boil on the face of the university's net?

Re:Inherit the whirlwind (1)

swdunlop (103066) | more than 9 years ago | (#10881154)

( I can't resist the troll.. )

He did say they were using embedded perl. ;)

Not Everything Requires Root (4, Insightful)

thenerdgod (122843) | more than 9 years ago | (#10880933)

You should only need root-style access to do one thing, and that's restart apache. And if your sysadmin uses, say, iptables/ipfilter, he could just redirect port 80 to some port above 1024 and then you wouldn't even need root at all! Quit whining!

"But Wait!" you say, "What about software upgrades? New Perl modules?" --Sorry, bub, installing and upgrading software is exactly what the sysadmin is there for. These are her systems. Not yours.

It's likely your sysadmin is smarter than you, and has been doing this longer. And while I'm sure you have "teh lunix" at home and run X as root "all the time", that doesn't make you worthy of having root on the universitie's box. Quite frankly, having been through this from the sysadmin's side, No, you don't need root, and it's YOU who's playing the political game, not them. It's their box, their system, their software. The limousine company owns the cadillac, you just drive it around and make sure it has gas. Thank you. Move along!

Re:Not Everything Requires Root (1)

M1FCJ (586251) | more than 9 years ago | (#10881388)

Can't agree more. The only time you need root access is a) you are doing system/OS level work b) you have a daemon using a port less than 1024. If it is case a, you are not a webmaster, you are a root. If it is case b, your root should be able to make sure you can stop/start the process, if asked nicely.

This jerk is asking for trouble.

Re:Not Everything Requires Root (1)

TheSHAD0W (258774) | more than 9 years ago | (#10881450)

Not to mention, running httpd corraled as a normal user account is a great way to beef up security.

You've mentioned nothing of your skill set ... (4, Informative)

dougmc (70836) | more than 9 years ago | (#10880971)

Now to the politics...the UNIX Administrator does not want to give me root access to this box.
Well, who's going to have to fix the box if you break it? The UNIX Administrator, probably.

You've not mentioned anything of your skills or previous experience. `Webmaster' could mean that you're a skilled systems administrator and/or programmer yourself ... or it could mean that you spent 15 minutes playing with Frontpage and Photoshop. Or anything in between.

What have others done when faced with this type of systems politics?
It's a university, so things may be different, but in the business sector, one makes a business case for needing root access, and puts that, plus the pros and cons into a presentation and presents that to management and the systems administrator. If you have the needed skills, and can convince people that having root access would make for a better web site, the sysadmin may be happy to let you have access to your box (because it may mean less work for him.) At least in the business world, politics definately exist, but a good business case can often cut through it like a knife through butter. (It's unfortunate when skilled sysadmins and programmers have to spend their time making Powerpoint presentations, but it's often how you deal with the suits.)

But if you're some `loose cannon' who doesn't know anything about *nix system administration beyond what you've read in some book, then root access is a disaster waiting to happen.

(As I said, I don't know which group you fit into.)

Is it even possible to function as a full scale webmaster without root access to the box you serve from?
It sounds like you've already answered your own question, and want us to come up with the same answer. `full scale webmaster?' In any event, my answer is `yes', which is probably not the answer you want to hear.

Not having root access is a blessing in disguise too. If something gets really messed up and root access is needed to fix it, you have the benefit of 1) not being blamed for it, because you couldn't have done it, and 2) not having to fix it.

One piece of advice -- what ever happens, don't try to `crack' root access. Getting caught, even if you think it helps you do your job, is likely to end in your being fired, and could even find you being arrested. (Yes, it has happened.) If you're a student, you could even be expelled. Not worth the risk.

Your answer (5, Insightful)

Safety Cap (253500) | more than 9 years ago | (#10881007)

"~ the UNIX Administrator does not want to give me root access ~. ~ Is it even possible to function as a full scale webmaster without root access to the box ~?"

This article advocates a

( ) technical ( ) legislative ( ) market-based (x) vigilante

approach to website administration. Your idea will not work. Here is why it
won't work. (One or more of the following may apply to your particular idea,
and it may have other flaws which used to vary from organization to
organization before a poorly thought-out, ineffective approach is suggested.)

(x) Sudo will allow you to do what you need
( ) Installing extra software on a machine without the Admin's knowledge
is bad
(x) You don't know what you're doing
( ) Hosting w4r3z and hacks on company-owned equipment is bad
( ) You are not mature enough to manage a box in a production environment
( ) Your users will not put up with it
( ) SCO will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from the Admin
(x) Requires immediate total cooperation from everybody at once
(x) Your employers cannot afford to lose services or alienate students
( ) Students don't care about your lack of web admin skills
(x) Anyone could anonymously destroy your entire site due to your
inept administration skills

Specifically, your plan fails to account for

( ) University rules expressly prohibiting it
(x) Lack of centrally controlling authority for servers
( ) 5kr!pt k!dd!35 installing open relays
( ) Backup and restore
( ) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new configurations
( ) Students' reluctance to use an obviously hacked site
( ) Huge existing software investment current setup
( ) Susceptibility of poorly configured machines to attack
(x) Your willingness to install OS patches in a timely manner
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Extreme fun of web h4xx0r5
( ) Joe jobs and/or identity theft
( ) Technically illiterate school administrators
(x) Extreme stupidity on the part of people who think they need root
in order to do their job
( ) Bandwidth costs that will increase once the b0xx3n are pwned
( ) IE

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical
(x) Any scheme based on 'su' is unacceptable
( ) Lack of knowledge upon how to manage a web server should not be the
subject of politics
( ) .htaccess sucks
( ) mysql sucks
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of campus networks
( ) Countermeasures must work if phased in gradually
( ) Surfing the web should be easy
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time root access is cumbersome
( ) I don't want the campus regents looking over my shoulder
( ) Web admins who have been coasting along with barely any knowledge
of what they're doing should be killed in a way is slow and painful

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.

Re:Your answer (1)

0racle (667029) | more than 9 years ago | (#10882021)

Can I use this form for work I need to do? Thanks for the laugh.

Re:Your answer (1)

GQuon (643387) | more than 9 years ago | (#10883013)

I think that form, in various permutations, has been making the rounds on spam discussion groups for at least a year.
The things that I found funnies when I read it the first time was:
Such a list existed.
After lots of technical explanations, stood the word "Asshats" :-) How true. If you build an idiot-proof system, the uiniverse will provide you a better idiot.

Re:Your answer (2, Insightful)

Christopheles (803724) | more than 9 years ago | (#10882055)

And if it gets rooted, whose fault is it? Seems like that alone is reason enough to just get the sysadmin to do everything.

Asshole (1)

metalhed77 (250273) | more than 9 years ago | (#10887956)

You may be right, but you're a goddamn asshole. Learn some courtesy.

What kind of Webmaster? (5, Interesting)

Androclese (627848) | more than 9 years ago | (#10881072)

Are you talking the modern Webmaster where their skill sets are limited to the design and content of the website or the Old-School Webmaster (like me) where you were responsible for everything like the OS, the software (Apache, mySQL, Perl, PHP), access (.htaccess, etc.), and the content (HTML, images, etc.)

If you're talking a Modern webmaster, then no, they don't need it. The Server Admin just has to make sure all the directories they are using are owned by the assigned user.

If you're talking Old-School, then yeah, it's pretty much a necessity; sudo at a minimum.

Re:What kind of Webmaster? (4, Insightful)

M1FCJ (586251) | more than 9 years ago | (#10881430)

Nope, still not necessary. Apache/MySQL/perl/PHP can be compiled and installed anywhere you like and doesn't have to be owned by the root. All of these (if applicable) can use unpriviledged ports and the only thing the root has to do is use iptables/ipfwd rules to make sure it is accessible as if they are running on priviledged ports. This is applicable especially if you are old-school, you should know how to change mysql's default listening port. Any odd idiot might not know how to do this but you probably would.

As for the contents and access, they are all files on a file system. Given the right access, you don't need more.

Even more importantly, as a secure site policy, webadmins should never have root accesses, in case the webadmin's account gets hacked into, they should not even be able to see inside the system. In some scenarios a chroot jail might be the best solution. Still no need for root access. That'd be just stupidity.

You don't need it (3, Insightful)

dimss (457848) | more than 9 years ago | (#10881097)

You can run Apache, perl and PostgeSQL without being root. Ask your admin for two things: port 80 mapping to 8080 and calling your startup.sh after boot (I do so in rc.local). And you're there.

Mod parent up (1)

TheLink (130905) | more than 9 years ago | (#10881183)

Other access he may need is the necessary rights/method in order to gracefully shutdown the system (logged of course).

Probably may wish to have one or two other user accounts too - so content that is to be "hard to change" can be owned by another account - just "read only" by the webserver.

It may not be politics - it may be the sysadmin thinks pariahdecss has not presented sufficient evidence of competency and responsibility in order to be trusted with having root privilege.

Re:Mod parent up (1)

M1FCJ (586251) | more than 9 years ago | (#10881443)

Shutting down a system? Why? We are talking about Unix here, not Windows and IIS. Restart apache and bob's your uncle.

Re:Mod parent up (2, Insightful)

TheLink (130905) | more than 9 years ago | (#10884503)

Apparently pariahdecss is in charge of/responsible for the webserver and it's the sole app there.

If the UPS/power supply/something makes funny noises or whatever, someone might want to go shut it down gracefully.

Might as well allow pariahdecss to do it.

Re:You don't need it (1)

tirnacopu (732831) | more than 9 years ago | (#10881591)

calling your startup.sh after boot (I do so in rc.local). And you're there.

You're there all right if you get the sysadmin to run your whatever.sh in rc.local ;)

Re:You don't need it (0)

Anonymous Coward | more than 9 years ago | (#10882443)

Not if you run it as that user.

Have a QA/Test environment (2, Informative)

t482 (193197) | more than 9 years ago | (#10881179)

Get a decent QA environment which is similar to production. Give the person an implementation plan for moving it to the other box. If it is a small environment in terms of people (which sounds like it is) and you want to put in many code changes - ensure they are scheduled for Friday or Saturday nights - no point in allowing him to still have a social life. In my experience in smaller environments eventually the sysadmin will capitulate and say - "OK - you do it yourself".

In larger systems (eg banks) typically this is the way it works. Generally you also need sign off from the sys admins and each change goes through a change committee where they validate the change. Another group often audits the code to ensure there will be no bad impact and the code is ok (no security concerns).

Re:Have a QA/Test environment (0)

Anonymous Coward | more than 9 years ago | (#10881458)

Get a decent QA environment which is similar to production. Give the person an implementation plan for moving it to the other box. If it is a small environment in terms of people (which sounds like it is) and you want to put in many code changes - ensure they are scheduled for Friday or Saturday nights - no point in allowing him to still have a social life. In my experience in smaller environments eventually the sysadmin will capitulate and say - "OK - you do it yourself".

That's just silly. If you were working in my company, I'd actively campaign to get rid of you or at least get you assigned to some other task. There is no place for playing politics in sysadmin area. If you want politics, become a manager or better, switch to politics proper.

Re:Have a QA/Test environment (1)

BJH (11355) | more than 9 years ago | (#10886832)

Scheduling system updates on Friday/the weekend is SOP in any business environment.

If, however, you do it unnecessarily, you're just asking to get put on the admin's shitlist.

I've been on both sides of the fence in this, and having users get in your face over a bunch of meaningless changes when you've got a major system upgrade scheduled is not something any admin needs.

Bad Title (0)

Anonymous Coward | more than 9 years ago | (#10881266)

Doh! I read this as as new conspiracy theory, with Unixes replacing the Illuminati.

Re:Bad Title (0)

Anonymous Coward | more than 9 years ago | (#10881490)

Yeah, isn't it perfectly obvious that Windows systems control politics?

You don't need to be root. (2, Insightful)

DarkDust (239124) | more than 9 years ago | (#10881293)

Seriously, the only thing I could imagine where you'd need root access is restarting the webserver if it's serving from port 80 directly. As others have pointed out, you could have the sysop do portforwarding from port 80 to 8080 and then be able to run Apache on port 8080 as normal user. Or you could have him give you sudo access to the Apache rc script.

Other than that I fail to see where any root access would be needed. You'll write and edit HTML and script files and you'll do some database stuff. There's absolutely no need to be root here.

I think a sysop who doesn't give you root right away is a good sysop. UNIX gives you all the tools and concepts to let you do your work without ever being root. But you have to get used to it. In the beginning you'll have to bug the sysop a lot but within a short timespan you'll finally get to a point where you won't need him anymore as you'll then be able to do your work... without being root :-)

Based on your question (1, Interesting)

kelleher (29528) | more than 9 years ago | (#10881306)

I'd say you don't know enough about UNIX systems to deserve root access. What exactly do you think you need it for? The only thing you really need is the ability to start Apache on port 80. Everything else can be done w/out priviledged access if setup properly.

Re:Based on your question (2, Informative)

MerlynEmrys67 (583469) | more than 9 years ago | (#10882321)

And even restarting apache on port 80 doesn't "Require" root - it just requires root privs for a single operation that can be isolated and controlled.

Root access should almost never be used unless actively administering the machine. Other than that, control should not be used - or issolated to things that certain people can be proxied for (ie. restarting apache)

Having said that - I am not all to certain why you would need to restart apache either.

Now, lets get down to what you might need.
A change management system that will allow you to move your test environment to a production environment

Other than those things - what else do you need on the production machine ?

hey newbie (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10881342)

why don't you just ask him to build you an IIS box and get a copy of frontapge. no offense but you're an idiot.

you are a webmaster, face it. (1)

M1FCJ (586251) | more than 9 years ago | (#10881348)

You are a user. Not a Root. The only things you need is access to your own database (not THE database). You don't need database creation rights. You don't need access to Apache. If you need mod_*, ask your sysadmin to sort it out for you.

The two things you need are rw access to some folders defined in Apache and rw access to some database backend. That's it. You don't need the root password. You are no longer working on Windows.

I've been on the sysadmin side (5, Informative)

blargh-dot-com (181292) | more than 9 years ago | (#10881352)

At a largish-university. There would be (and was) no way a webmaster would have root access to any boxen I controlled. For a number of reasons:

a) You don't need it. Making sure apache is up and running and patched is my job, and I probably do it to 50 boxes at once and have nice automated scripts.

b) Every single webmaster I met (until I left a few months) ago swore they needed root access to install some apache module or other. No, you don't. You ask the sysadmin and, most times, if he can do it without a huge amount of effort (pointing him to the exact URL of the module's home page, and even better, pre-compiled packages for your OS, would tend to improve his/her mood) then I will, after carefully evaluating it, its security, its size, etc.

c) Politics sucks, and the poor sysadmin generally has to fight tooth and nail for every little bit he/she can get. Going the political route and over your sysadmin's head is a very good way whatever box you end up controlling has a number of... strange issues. Not saying I did this, but I know a LOT of sysadmins who have. A LOT. A lot of people you normally wouldn't expect. Especially in a university or state-run organization, politics and political image counts for a lot, and if you use politics to override your sysadmin, they're going to be very bitter about it. Not a good idea at all.

d) Working with the sysadmin, if you can provide a DAMN good case, and actually show you know what you're doing, what will usually happen is the sysadmin will hand over root and wash his or her hands of the matter. Box gets owned? Your problem. Box goes down? Your problem. Operating system barfs? Your problem. Too many people having root is a terminally bad idea, and most sysadmins will avoid it like the plague.

e) If all you need is the ability to restart/reload apache, there are a number of other ways to accomplish that, as has been mentioned. Personally, I would have gone the 80->8080 route, because I didn't hand out sudo either. :)

Re:I've been on the sysadmin side (1)

jc42 (318812) | more than 9 years ago | (#10884642)

b) Every single webmaster I met (until I left a few months) ago swore they needed root access to install some apache module or other. No, you don't. You ask the sysadmin and, most times, if he can do it without a huge amount of effort ...

I'd agree in general, and I've generally told people that I don't particularly want the root password, because it will make me responsible for the machine's administration, and they're not paying me for that. But I did have an interesting case a few years ago ...

Several things came up (important users demanding mod_perl, mod_ssl, a few other mods, and of course the inevitable security upgrades) where su access was required because the port-80 server requires root permissions for a few milliseconds. I set things up, presented them to the admin ... and nothing happened. After a few reminders, it became obvious that he just wasn't going to get around to it. More Iportant Things To Do, y'know.

So I did the obvious thing. I started a server with the requested features on a higher port. No big deal. But it turned out that a number of the important users were using browsers that didn't recognize the :port syntax in URLs, so they couldn't get to the web site through the non-port-80 server. (Yes, there are browsers like that, and no, I didn't like it any better than anyone else, but I couldn't do a damned thing about it, and they wouldn't switch to a real browser. ;-)

I did make the 80->8080 mapping suggestion. This got me on the admin's shit list real fast. He started publicly complaining about me telling him how to do his job, and stuff like that. This puzzled me at first, because it seemed such an innocuous request. But by asking a few questions, I eventually uncovered the reason: He had no idea how to do it. And he wasn't about to learn from me (or anyone else, probably). I think he was just embarrassed by not knowing something that he obviously should know; we all know people like that.

So I just kept running both servers, the port-80 server that was the default install that the admin set up for me, and the non-port-80 server that was loaded like the users wanted. When people complained about the problems this caused (including for some of their users), I patiently explained that I knew how to fix it, I wasn't permitted to do so, and the person who could give me permission had never gotten around to acting on any of my requests.

The most useful thing I did was that I'd carefully saved the email on the topic as evidence. Eventually this got the admin, uh, "reassigned" to another position. His replacement was someone a lot nicer who put me on the sudo list (as a time saver to himself ;-).

But this did take a long time. At times, I was sorely tempted to break into "my" machine. But I decided to play the game. Anyhow, I wasn't the one suffering. I didn't care what port the server was running on. And it was somewhat fun to watch the politics develop.

You are the webmaster, not the admin (0, Redundant)

nurb432 (527695) | more than 9 years ago | (#10881365)

You dont need root access, its not your job.

If you need something done that needs root access, that is what the admin is there for, it is his job to that part.

Pretty simple really..

Fscking Unter-grads (5, Insightful)

Anonymous Coward | more than 9 years ago | (#10881499)

Every year I have to hear about this bullshit.

Listen kid, we're going to tell you this now, don't forget this lesson. You are not special. You are not the brightest little ray of knowledge to ever grace the halls of your university. In fact, the odds are very much that you are aren't even good enough to be the layer of slime the illumnai pond scum will float on. There are 10,000 other eager little faces just like you. And the odds are you aren't anywhere near the top end. If you were, the faculty would be putting you to better use than being the webmaster. Any idiot can be the webmaster, quite successfully, however, giving that idiot root would endanger the system the sysadmin is charged to maintain.

To summarize:
1) You are not special
2) You are should simply be happy you beat out those not smart enough to be webwanker
3) You should put your little ego at the door and realize the sysadmin is only doing his job, if he were stupid enough to hand you root, he should be fired.
4) Webwanking is not a technical task.
5) Webwankers *SHOULD* *NEVER* *EVER* have root. It *ALWAYS* ends badly, at my university we have a policy that says just that. And many defacements have been avoided because of it
6) Grow up! The sysadmin is getting sick of hearing this bullshit year after fucking year!

Re:Fscking Unter-grads (5, Insightful)

Farmer Jimbo (515393) | more than 9 years ago | (#10882952)

1.) If I had mod points I wouldn't be posting this reply.

2.) I had forgotten how truly evil it can be to work with 20 year old's who think they know everything.

3.) I remeber being 20 and thinking the world was so lucky to have me. Thank god someone older and wiser stepped on me hard and made me realize I was being a snot.

Re:Fscking Unter-grads (2, Funny)

harikiri (211017) | more than 9 years ago | (#10886534)

You forgot:

"You are not a beautiful and unique snowflake..."

Simple Criteria (2, Insightful)

qux.net (107853) | more than 9 years ago | (#10881636)

If you break the server by installing/misconfiguring/changing configs, who will fix it?
If the server goes down in the middle of the night/weekend due to configuration who will have to fix it?

If the first is not you, you don't get root.
If you don't at least share responsibility in the second (eitherwhoever's on duty or gets to it first, or it stays down once it's determined it's your problem until you fix it), you don't get root.

You both suck...... (2, Interesting)

JDizzy (85499) | more than 9 years ago | (#10881668)

I also have a bitchy so-called web master that wants root access, but I finally figured out it is his ego getting in the way of his own work. Ultimatly I created a sandbox where he can have root. Finux useres can try User-Mode-Finux hack, or if you use FreeBSD you can use a jail/prison, in Solaris you have containers, everwhere else you have chroot. Certainly my developers see my policies at politics, but I see it as idiot control.

When politics is more important than engineering (1)

davidwr (791652) | more than 9 years ago | (#10885544)

There are times when keeping everyone happy is more important than a fast or efficient computer.

Times like these are what user-mode-linux and the like are for :).

Well, for that and for testing stuff :)

Obstructive Cow Orkers (2, Insightful)

mkcmkc (197982) | more than 9 years ago | (#10881710)

To answer your question, it all depends. If your admin is good, not a misanthrope, and is basically interested in seeing the website succeed, you don't really need root. If not, you're probably going to fail anyway, as, even if you have the root password, he has more power to make you fail than you have to succeed.

Almost every job I've ever had has featured at least one technically incompetent, obstructive co-worker. You can try to point this out to the higher ups, but your main options are to deal with the person via diplomacy or to find a new job.

I once suffered, without root, under an admin who gave everyone the same home directory path, where the actual directory on each machine was owned by the user on whose desk the machine sat. So, if I logged into joe's machine, I'd be running his .login/etc rather than mine. (The admin claimed that this scheme simplified backups.) There were lots of other problems of a similar scale with this project, and no one with both technical skill and power to correct them. In a case like this, all you can really do is leave.

If you're new, I'd give it at least six months. You may not even have figured out yet who the true problem people are on your job. Maybe this admin will turn out to be your best friend or mentor (or vice versa).

Mike

Did Cliff put this up.... (1, Flamebait)

llamaluvr (575102) | more than 9 years ago | (#10881750)

...just so we could all make fun of the guy?

This is rediculous (1)

comwiz56 (447651) | more than 9 years ago | (#10882137)

Of course you can webmaster without root, how do you think hosting companies do it? You can upload files and admin the db. What more does a webmaster need to do?

Oh, upgrades on perl/php/apache you say? Wait... isn't that a sys admins job?

How-To do Politics . . . (5, Funny)

Dausha (546002) | more than 9 years ago | (#10882362)

First, get politics for dummies. Also, you don't need root, as has been said ad nausium. The fact that you are asking if you need root to be a full fledged web master demonstrates that you don't know what you're in for politically or technically. Odds are your admin is reading this thread and will know its you.

However, I'll give you the loaded gun. Go ye therefore . . .

1. Don't rock any boats for 90 days. You need this time to assess the political landscape and get to know who is really in control. You may find that the man in charge is not the man in control. If you start rocking your boat early, the man behind the curtain will be wise to you. IF that man is the sys admin you're trying to sweep the legs out from under, then clean up your resume.

2. Get to know the system you're wanting to control. You need to know why you need root to ask for it. Needing to install software is usually the best excuse since routine permissions will fix any routine need for root. This also requires some major server overall that you *need* to get the website to some grand plan you have. You do have a grand plan, right?

3. After the requisite time period (see 1), start making a lot of important installation requests staggared. Make sure you ask for it when he's swamped. That way he will seem unsupportive/inept. Don't forget to explain to man in control that you're not being supported.

4. Explain to the man in control that if sysadmin would only give you root, you could take care of this on your own. Don't forget to wave your hand in front of the man in control or the jedi mind trick will fail. Hope that man in control and sysadmin are not friends.

5. Hope that sysadmin is not politically savvy. If he is, prepare your resume. You have about a 25 percent chance of winning if you know what you're doing, and a 100 percent chance of pissing off your sysadmin.

If he's worth his salt, once you have effectively stolen root from him, the server will have mysterious problems arise that can *only* have been because he was forced to give you root. Root will be taken from you and you will have a) made a serious enemy and b) "proven" your incompetence.

The net result is that you will have weakened the organization as a whole.

Alternatively, you can work your ass off for several months to impress the hell out of all involved and show that you can be trusted with root. No politics required.

Re:How-To do Politics . . . (2, Funny)

sjames (1099) | more than 9 years ago | (#10884169)

However, I'll give you the loaded gun. Go ye therefore . . .

Meanwhile, for the rest of his days there, he should be on the lookout for dark rooms with floor tiles lifted, electrified doorknobs, wires attached to his chair, etc. Also avoid using the elevator (if any).

Yes (1)

wikinerd (809585) | more than 9 years ago | (#10882441)

Q: "Is it even possible to function as a full scale webmaster without root access"
A: Yes.

Be patient (2, Informative)

Darth_Burrito (227272) | more than 9 years ago | (#10882921)

I have just been hired as the webmaster for local college.

This is your problem right here. If your predecessor did not have root access, you are going to have to prove to the admin that he should give it to you. Even if your predecessor did have root access, the sys admin may not be inclined to hand out root privileges to anyone with the title of webmaster.

Just to give you some background, I work in a small college department, and I've got about three times as much access now as when I started 18 months ago (sometimes I wish I didn't). The secret is to be patient, work with the admins, and prove yourself over time. Also, help them out whenever you can (but only if you can). It's not in your interests to get in a power struggle with them.

Consider pursuing projects that will benefit everyone in the value chain. For example, a lot of people use write only memory for their web logs. Perhaps you could implement some kind of log analysis tool, that could:
1) Help the admin/you monitor attacks and load.
2) Help you/content providers monitor page usage and user demographics.

Maybe you could use something like AWStats [sourceforge.net] . A project like this will give you an opportunity to work closely with the admin, demonstrating both your expertise, and your ability to add value.

Shocked nobody's said this already, but... (2, Informative)

Shag (3737) | more than 9 years ago | (#10883598)


You don't need root (which they have said), because root can simply create a "web" or "www" group on the system (in the highly unlikely event one doesn't already exist), make you a member of the group, and give the group full privs on the stuff the webmaster needs privs on, e.g.:


  • /etc/httpd/ and things under it, so you can tweak httpd.conf
  • /var/log/httpd/ and things under it, so you can munge logs
  • wherever Postgres lives
  • whatever the web docroot is.


That's the course I'd probably take, in your root's shoes.

My 2 cents (3, Informative)

eyeball (17206) | more than 9 years ago | (#10884040)

There seems to be a lot of 'you don't need root access' replies. I'd go so far as to say 'avoid root access if you can,' especially in a politically volatile environment. You'll get less blame when something goes wrong, and you can relax while they take care of the system patching, managing its network connectivity, disk space, etc.

Working on a non-root server feels weird at first if you've run your own box for a long time, but other than the inability to listen on ports 1024 and a few minor resource restrictions, you should be better off. Coexisting on someone else's server can even make you very conscientious and more likely to keep a tidy server.

Also, if you have to ask the administrator to upload files every time you change them, and you find yourself making many changes, ask yourself if you are doing too many updates because you don't have a proper test/dev/stage environment (if not, shame on you!). If not, maybe a compromise could be made to script a bulk site transfer from stage to production that you could control.

Re:My 2 cents (2, Informative)

BJH (11355) | more than 9 years ago | (#10886817)

Good answer.

I work a lot on boxes for which I do not have root access (financial systems), and it's absolutely unnecessary if your admin is competent.

Add a new user? Ask the admin.
Restart a system service? Ask the admin.
Implement regular backups? Ask the admin.

Remember, it's his JOB. He's paid to do that sort of thing; you aren't. You're paid to get your application working and keep it working.

(Actually, you can do an awful lot even without root access. I've built a fairly comfortable environment on a bare Solaris box, including gcc, emacs, vim, Tcl/Tk, CVS, blackbox (because otherwise I would have been stuck with Exceed's godawful window handling), and many other utilities, and root was not required for any of that. There's a reason such things as PATH and LD_LIBRARY_PATH exist.)

Chroot Jails (2, Informative)

Bios_Hakr (68586) | more than 9 years ago | (#10884461)

Have the admin look into using 'chroot.' Basicly, he can build a virtual computer inside the actual computer...or something like that. Anyway, I know that my hosting company has 10 people per server and everyone has root in their own virtual computer.

Anyway, the point is if you screw something up, his server remains mostly unaffected.

last time I was in this situation (1)

alexdm (728255) | more than 9 years ago | (#10884615)

I kidnapped the Admin, tied him up in my basement and lit one of those 2weeks candles under his balls. Before you know it he fessed up the passwords.

a tale of root acquisition (2, Interesting)

tverbeek (457094) | more than 9 years ago | (#10884715)

OK, now that we've got all of the entirely-accurate "you don't need root" lectures out of the way, I'd like to share how I did get root on some boxes at the college I work at.

I started here 5 months ago. One of the things that got me the job was being able to tell my boss that "I know Linux", I've been running my own and a previous employer's web and mail servers for five years, etc. But that's not in my job description; it's someone else's job. In today's downwardly-mobile economy, I'm a mere "Technician" here.

I didn't push it. When a problem with DNS cropped up, I used my knowledge of how DNS works to help troubleshoot it, passing useful information to my boss and to the guy responsible for fixing it. A couple months later when we started having problems with DHCP, I stayed late helping to troubleshoot. When it happened again the next week and I was the only other person around, my boss logged me in under an account with root privilege (she has it because she's the boss, not because she's qualified to use it) so I could restart dhcpd. The next time, she actually gave me root, and I figured out what the problem was... but let the official admin get it working. After that, I kept my privilege to maintain the DHCP system to make sure it stayed operational.

That sounds like the end of the story, but it continues: I determined that the real problem with DHCP was that we didn't have enough addresses to accommodate student laptop plug-ins. I suggested a solution, and the boss let me do it: set up an old P2 box running Coyote Linux as a router, putting 30+ machines on their own subnet, thereby alleviating the problem (at zero expense). And on that box I don't just have root... I am root.

A virtual server? (1)

gtrubetskoy (734033) | more than 9 years ago | (#10885144)


This may be a stretch, but can you talk you admin into installing a Linux VServer kernel or setting you up with a User-Mode Linux (UML) - this way you'll have root access and the admin will not need to worry about the security of the main box?

The horror! (1)

‹berhund (27591) | more than 9 years ago | (#10885198)

The Windows admins at a place I used to work let the web developers admin an IIS server. They were forced to revoke admin privs later, when they discovered that, among other travesties, they had granted system-wide full-control file access to the guest account.

So, I can understand the perspective of the admins, and it's not necessarily just a power trip.

It's a Windows box (0)

Anonymous Coward | more than 9 years ago | (#10885698)

It's a Windows box.

It's already 0wned.

Full-control to guest doesn't make things any worse.

Mod this -1 flame +6 flame Bill Gates

No (1)

ninewands (105734) | more than 9 years ago | (#10885702)

I, along with two cohorts, admin pretty close to 100 boxes running a mixture of Linux, Solaris, Tru64 and Irix in a university environment. We host dozens of departmental and student organization websites from our servers. None of the webmasters have, nor do they need, root access.

In short, the answer to your question about overcoming the admin's "power politics play" is ... you don't. My boss reports directly for the Assistant Dean of the College of Engineering. Think you can beat that kind of clout?

Our stock answer when a Professor or a student organization insists on adminning their own machine is "Fine ... you break it, you get to keep both the pieces. You will get ZERO support from us." When they ask about shared root access or using sudo, the answer is "No ... end of discussion."

Administration of machines connected to the public network by fat pipes belongs in the hands of professional admins, not webmasters or programmers. Besides that, if your admin is any good, he/she will already have everything set up so that you don't NEED root access, so quitcherbitchin' and get back to coding.

Posting too vague (2, Insightful)

georgewilliamherbert (211790) | more than 9 years ago | (#10885913)

As has been pointed out more rudely by dozens of earlier responders, nothing in the initial question argues for needing root.

The job role of Webmaster varies widely, from people whose responsibility it is to make sure that the links work and just about only that, to people who own the applications and content management, to people who build the server from bottom up including OS install and web apps and programming and HTML code and UI specification.

The latter person owns the box. Most of the people short of that level don't need root. If you're maintaining the applications environment and need to install new versions of Apache, PostgresSQL, Tomcat or whatever, then you and the sysadmin need to come to an agreement on how that gets done.

If you need to restart Apache, that's what Sudo is for.

In any case, your job, rather than escalating the situation, is understanding and communicating the situation. If you need root, you need to understand and articulate why you need root. If you can't justify why you need it, you shouldn't be trying to go over his or her head. If you can make the case clearly and they still won't let you have it, then you can escalate.

But understand first and explain second.

Just to reiterate the point. (0, Flamebait)

jotaeleemeese (303437) | more than 9 years ago | (#10886276)

No fucking way.

Ged it now?

no root access? (1)

hpavc (129350) | more than 9 years ago | (#10886381)

In a politcal environment, use well documentated and clear trouble/issue tickets. Interlock them with the tasks you need to perform so that both of your supervisors and he know what he has to do and why you need the tasks done. If they want faster responses they can push him harder or tell you to work around it, etc.

If he is blowing you off playing EQ or doesnt like you, then you can still move on with your otherwork and tell the upstream people where things are at.

Likely you dont want to 'share' access to the servers anyways, let him get stuck with all that messy crap. You have enough on your hands.

Re:no root access? (1)

basingwerk (521105) | more than 9 years ago | (#10886962)

Another idea is to get a box which you do have root rights to, and do all your work on that. Then just give admin a tape with the stuff on it and tell him or her the installation procedure.

Re:no root access? (1)

hpavc (129350) | more than 9 years ago | (#10887020)

i would think you then would be fired, you dont setup personal machines at most places.

DBA needs DBA-level access? (1)

murcon (192204) | more than 9 years ago | (#10887288)

Heh. Several years ago I was hired as a consultant by Big Midwestern Appliance. All their DBAs worked at a facility in the next state over. My job was to design and implement an Oracle database on a small Unix box. However, I was not granted table-creation access on said database because (a) I was not a DBA, and (b) I was not an employee.

However, once the project reached critical mass, and I was emailing and phoning table change requests every 2 hours (no kidding), the DBA for our project relented.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?