Hacker News new | past | comments | ask | show | jobs | submit login

As someone who used to sysadmin and was well aware of this trick, sometimes a developer or dba will bully their way through leadership to make sure they never need to ask for permission to edit their configs

We all knew it was a bad idea but when your boss and their boss say do it, it’s done.

I’m pretty sure the dba (autocorrect magically suggested “diva” here) knew as well and just wanted a backdoor to have root for whatever they wanted.

I later busted the same team applying patches out of band with tripwire. Hey, wonder how you pulled that off…




Nobody should ever need permission to edit their own configs. E.g., if a box is used solely as a database server, then the DBAs should have full root to it.


they only needed a backdoor root because you're a gatekeeping dick and they wanted to get their job done without having to "deal" with your shit.

OMG. they applied unapproved patches! to the product they were responsible for making work.


lol, restricting administrative access to the administrators is pretty much a security best practice in every company everywhere.

Ever heard of the principle of least privilege?

They didn’t give me admin in the database and I don’t want it. They aren’t trained in the system and if you’ve ever seen what kind of mess a bunch of amateurs can make of a shared system you wouldn’t sound like such an idiot right now

Ill be sure to tell the auditors that they are gatekeeping dicks for requiring change management on the financial databases


that is all true. but admins need to be aware of the reasons other groups desire to go around them. obviously they needed some patches on their database product.

OK, what's the easiest way to get it? option 1: call the IT admin and say "hey bud, can we get these patches and see if it fixes my thing?" or option #2 play some political long game to get sudo vi access via intense political pressure and then hack into the system to install said patches.

if you have to do option #2, then it's the FAULT of the IT system: people follow the path of least resistance. if there was so much hassle having a support organization actually help you such that it was actually easier to do it yourself and fighting (and winning) some political fight with the other dept. to get there, you tell me what's wrong with that support org?

this is why DevOps is an improvement.

you're trying to point at the auditors as being the dicks? nope. any engineer in the company can be equally responsible for configuration management. wanna bet that the IT dept. has no process to allow other engineers to update configuration? or that they won't do it on your behalf in a timely fashion? simply delegate the patch configuration management of the DB to the DBAs and send the auditors to see the experts. there's a good chance they'd take the responsibility seriously and do a better job of it than you.


Why were they applying patches? And what were they patching? What were the consequences when you busted them?


These were solaris 8 or 9 patches for some Oracle DB. Patch management back then was wild and conflicting patches could cause problems.

Of course there were no consequences for someone bypassing the approval process and doing unscheduled changes as root. Now, if my team had made those changes without running it past the DBAs...




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: