On 8/27/19 13:27, Denis Roy wrote:
I think we're one of the last shops on earth that has SSH shell
access right into our mission-critical infra. Even before 2009
this practice was pure insanity from a data/systems security
perspective but it was maintained as there were not many
options.
While I am all in favor of the restricted shell efforts I think one
perspective has not been well documented. Do the "official
webmasters" have full shell access? (the answer I assume is: "yes,
of course"). So from another perspective, those people that say they
really need shell access are probably doing some level of "webmaster
work". That is at least part of the reason a lot of this got started
back when there was too much work for one webmaster to do and
volunteers were needed from the community. So, perhaps part of the
solution to the problem of shell access is for the "official
webmasters" to take over the work that Markus and Ed (and others)
are doing. Or, perhaps distinguish the use-cases some so that some
very few people are declared as "honorary webmasters" -- complete
with training and "security certification" or whatever you do for
the "official webmasters" to ensure a secure system.
I just had not seen the problem framed from this perspective and
wanted to do that before the topic closed completely.
Thanks for reading,
P.S. I am certainly NOT one of those honorary webmasters (any longer
:) so it does not really matter to me what you do -- just giving
unsolicited advice. :/
|