Dennis Clark:
> You are implying that sysadmins should not only condone such activities, but
> actually SUPPORT them.
Rubbish. I whole heatedly agree with Jimmy -- we want system
administrators who will contribute to ftoomsh in positive ways;
checking out and installing new software, helping and encouraging new
users, disseminating information, blah blah blah etc. Part of the job is
ensuring that the system is shared fairly between users (the
``rules''), but this is only a part and we definitely DO NOT want people
who are going to get some power trip from running around enforcing them.
> * Give a user a number of warnings (depending on the severity of
> the act) when you catch them doing something naughty before
> being Fascist and locking their account, rather than locking it
> first and having the user come crawling.
>
> * Being more passive in enforcing rules than what a Fascist
> sysadmin be: for example, scanning publically-readable files for
> 'improper material' rather than reading/looking at people's
> private files. The latter sounds evil but sysadmins are well
> within their rights to do so under the banner of "reasonable
> suspicion of breaking rules".
Here are my credos for ``sysadmins against fascism'':
* suggest and inform rather than warn. If someone is trying to download
zillions of megabytes of sound files during a really busy time, it's
probably out of ignorance rather then manevolence.
* locking accounts is to only get someone' attention, not to punish.
If you've repeatedly asked someone to do or stop doing something,
then maybe it's time to lock their account for a while. Next time
they log on they should get a message about why the account has been
locked, for how long, and who to go and see if they're really upset
about it.
* never search someone's files without giving them notice first. This should
only be necessary under extreme circumstances, with the consensus
of the other syadmins.
> > Due to the "too many cooks spoil the broth and leave lots of holes" the
> > number of active sysadmins will probably number around 5, minus 1 or 2. I
>
> 5 is a lot for 1 machine, but I suppose we need that many seeing none of
> them will be working on ftoomsh full-time. May I suggest not giving
> them all the root password, and instead allow them to use some
> su-root-but-type-your-own-password-instead program like they have in
> SoCS. This makes it easier to tell different roots... err admins apart
> when they're logged in. Have only the Computer Systems Officer have the
> root password, with the console bootable to single-user mode in case
> s/he gets run over by a large road vehicle.
I don't think there is any loss of security by having all the sysadmins
knowing the root password. Doing all rootish things via some sudo- or
sus-like front end is still quite useful though; as well as the
automatic logging features it means to can turn off root logins from
anything but the console (ie: you can still su root, you just have to
log in as yourself first).
Cheers,
Christopher.