No IT person you hire should get root access. They would have "wheel" at best or "system".
You give them wheel you're basically giving them root.
You give them wheel you're basically giving them root
Nope, not true.
I can lock down SSL keys and also monitor them to see if I need to rescind if root protected fully.
wheel on most unix is not mutatable to root it is subclass
sudo can be controlled, and additionally via DTRACE mods at file hook level the SSL keys can be protected fully from an elevated "wheel" admin. Way too much to talk about. I had to keep tutorial brief. SSL .key files can be held secure from IT admins.
Anyway, generally you only give wheel to "Snowden IT workers" doing hard drive image backups. but you write scripts to handle the ssl keys as a preliminary xfer task to a separate archive.
Nope, not true.
Yes it is true, that is literally the default functionality of the wheel group. Allowing users administrative access to a box grants them multiple ways to gain access to root. I can name dozens off the top of my head that you likely never thought of.
I can lock down SSL keys and also monitor them to see if I need to rescind if root protected fully.
To what purpose? Also the *nix nomenclature is "SSH Keys". If you give somebody wheel access with SSH and think I can't secure access to the system via a backdoor you are mistaken.
sudo can be controlled, and additionally via DTRACE mods at file hook level the SSL keys can be protected fully from an elevated "wheel" admin.
Yes Sudo can be modified, but you wouldn't do that at the wheel group level. There are better ways to do that don't deviate from system administration norms and best practices. Again, SSH Keys are not as important as you think they are. When a user has code execution on a machine they have almost infinite options for gaining access to the system via backdoors.
Anyway, generally you only give wheel to "Snowden IT workers" doing hard drive image backups.
NO NO NO, what the hell are you on about? You don't give full admin to somebody that only needs read level access.
Listen dude, I'm not trying to take a shit on you here, but don't spread misinformation like that with such confidence.
I cannot explain all my motives and reasons. I cannot teach you all I know in a few comments.
All I wrote was 100% factual and as person who can infiltrate unix boxes, I have my reasons for all my statements.
You keep erecting straw men arguments and shifting narratives and putting words in my mouth.
You keep trying to shift conversation to SSH keys.
I never once typed the word "SSH" and I never discussed SSH. I was discussing files read only by web server code for HTTPS called a "SSL" key.
SSL and SSH are related, but my long priceless info has nothing to do with SSH, and you keep trying to debate SSH and even try to misprepresent "wheel" and try to misrepresent WHY a backup IT admin that does remote image wipes and restorations of databases might require R/W levels of access.
Since you do not know what SSL keys are used for, I know you are trying to play me for a "tool" and historically once I feel I am being toyed with, I exit the thread once I am convinced the naysayer is not only wrong, but unwilling to learn, and possibly a bad actor, as Jews dog me across the Internet.
I will provide you a layperson beginner link to SSLs (used for HTTPS implementations) :
https://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
And though it might boggle your mind, my unix builds and implementations have controls lower level than "ROOT" access and for file and file buffers, that access is not a named enumerated real user, but a DTRACE controlled gated logic trampoline because I NEVER NEVER NEVER trust OS vendors or soft-hypervisor vendors. Even the code that controls the lowest level code mods of my windows and unix machines is itself protected code and only in RAM after a boot (encrypted on images).
I am done talking in circles with you.
I am confident because I am right and I have never been hacked in my life and run machines that hundreds wanted shut down.
I am not Andrew A , despite various online dossiers comparing my paragraph structures, but I am as equally infamous in my own ways in the cyber universe. And of course my actions in dozens of national news events, blogs, magazines, etc. But no one on this site knows more about STEM (biology, medicine, normal chem, math, computers) than I do, but I grow weary defending my statements of facts, and statements of how to run a server , being opinions as they are, open the door to nitpickers and misunderstanding fools.
I recall many an argument with people defending the multiply exploited Brave Broswer here, people with your attitude, or people defending TOR and TAILS even as I showed them hot exploits of TAILS, etc. I generously try to close security holes via posting exploit zero day alerts, but do not do pen tests because no admins appreciate wasting three days wondering why they are being penetration probed, not even me.
you wrote :
When a user has code execution on a machine they have almost infinite options for gaining access to the system via backdoors.
That is factually not true for over 6 years on any servers I control, as I am interested mainly in protecting SSL keys and database files but explaining even that statement to you seems like it would take 40,000 words because you do not know what a SSL key is, or why I need to known when to rescind my SSL keys and roll new ones.
Whatever, you have no idea the level of courtesy you just got by me even bothering to reply one more time to you.
Listen dude, I'm not trying to take a shit on you here, but don't spread misinformation like that with such confidence.
All my many fun facts are 100% factual, and no misinformation. 100%. You found no errors.
(post is archived)