0

In all production environments I've seen there is a shared user owning the active production processes. The idea is that multiple real users can sudo as the shared prod user and do maintenance, including running or killing tasks.

I find this annoying because the different virtual users keep creeping up in the system with their own environment (often you need to login on more than one user to have control over all the prod processes). Anyone can change the environment settings, things can get messy. In addition it's less obvious to know who ran what.

Isn't Linux meant to manage shared processes by properly configuring group privileges? Or are group permissions limited to file access? This thread explains that a user can not kill another user process by design, but I'm still not convinced we need "virtual" production users.

Community
  • 1
Robert Kubrick
  • 143
  • 1
  • 7
  • It might be better to ask this on serverfault instead, since this seems to talk about server processes and the like? – Simon Lindgren Mar 27 '14 at 14:13
  • Needs, more question, less rant. It will almost certainly get closed on SF the way it is currently worded. – Zoredache Mar 27 '14 at 15:44
  • @Zoredache I don't see much ambiguity in the group permissions question. Should I remove the text where I'm explaining why am I asking this? – Robert Kubrick Mar 27 '14 at 17:09

1 Answers1

2

Even if you could use group privileges to do all administration, it would not be wise to run all services under the same user, since this means they can all read and write each others private data.

So as far as security goes, skipping that part is not a good idea. Also consider that a potential attacker can get into the memory space of the most easily exploited service processes and then use that to access the private data of other services.

As for keeping track of who has done what, you should consider auditing for that. I found this (which I have not tested at all myself): http://www.woitasen.com.ar/2011/11/auditing-user-actions-after-sudo/

Simon Lindgren
  • 264
  • 1
  • 2
  • 9