IT professionals need to strike a balance between user freedom (such as letting them install any app they want) and keeping a predictable and safe computing environment. Several network admins give their advice about the best way to find and maintain that balance – with tech tips for each operating system.
Use a separate partition for the home directories, and set the mount options in fstab to noexec.
Done. =)
Wow, I wish that were always true. It works quite well for non-technical users, but for developers, it would cause issues.
My standard has been to get everyone to ask me if they need a new application, and I’ll add it to the standard apt-get list. Non-standard apps (like my custom compilied version of BMPx) go into ~/Applications.
Non-apt-get apps that everyone needs (ussually java things) go into /apps, and /etc/environment is set up to add /apps/bin to the $PATH. /apps is rsync’d from a central server on a regular basis.
If people really need root/admin access, we’ve got a big terminal server which people can run Virtual PC on. This works quite well.
I was forced however, to allow Admin access on a particular Windows machine so that people could use it for graphics work (Scanners don’t work under normal user accounts). Predictably, the computer is now full of junk.
Quotas may also help. Give them only this much space. If they want to use it for crap or for work it’s their choice.
We don’t have the budget or the man power to do most of the solutions listed. We’ve been using Spiceworks lately to at least get a notification that they’ve installed software. It doesn’t prevent installation, but at least now I know they installed/uninstalled software.
At work, I’m allowed to run as Admin — a combo of Zenworks, Ghost, and some other behind the scenes trickery actually cripples what I can do as “admin”.
I can install software, but I can’t create a user account — so I’m forced to run as Admin.
Best of both worlds, really. I don’t need to call IT when I need a software update or to change settings. They have better, more productive things to do with their time, and I don’t need to wait on them to get my work done.
My IT department also knows that if I ever stumble on to a way around their lockouts, I’ll tell them.
In the meantime, I can listen to my iTunes, play the videos on CNN.com (I am encouraged to visit sites like CNN, OSNews, and Slashdot as a part of “keeping current” for my job) and download and evaluate OSS programs that have some relation to my “jill of all trades” duties.
And for the proprietary stuff, so long as I can produce the license when IT does one of their surprise software audits, it’s all good.
Edited 2006-08-29 21:18
It is a good article, though I have some issues with allowing engineers to install software. My experience is that software engineers in actuality cause the most problems with computers if given the chance. This is not a slam believe it or not, just my experience. Normally when they install an application, they install it, break it, and then I have to fix it. There is no reason why someone needs to be able to install their own software at any place of business, since any changes to computers need to be approved through IT, since IT is the ones that are responsible to make sure the machine works, not the user who is installing software.
Howabout thinking of it this way: the company could continue to function without you security types. Maybe not well, but it would function. The business cannot grow without the engineers.
I’m a software developer, and I want a) admin rights, and b) the right to reinstall my os image at-will. It’s my job to understand how all the little pieces fit together, and it’s your job (as sysadmin, which is what I’m guessing you are) to assist, not hinder.
The last company I worked at had a lot of people with your personality, and guess what, nothing got done. My current company is much better, and I give them 110% as a result.
So get outta the developer’s way already.
“Howabout thinking of it this way: the company could continue to function without you security types. Maybe not well, but it would function. The business cannot grow without the engineers.
I’m a software developer, and I want a) admin rights, and b) the right to reinstall my os image at-will. It’s my job to understand how all the little pieces fit together, and it’s your job (as sysadmin, which is what I’m guessing you are) to assist, not hinder.”
I agree to the extent that the company could continue to function. My point is that it becomes non-productive for the engioneers to sit and rebuild thier systems all day. You need to write software. I am there to assist absolutely. Actually your job is to write the software, and it is the Sysadmins job to understand and know how all the pieces fit together. My job is to assist and ensure you can do your job. In reality you want to tinker, not work. Not meant as a slam, but if you want to re-install your machine, taking away your valuable time, how is that productive for the company? Maybe I am missing something here, and I could be.
Part of writing software _is_ tinkering. Frankly, I hate system administrators that couldn’t write a program to save their lives. Their entire schema of how things actually work is really off base most of the time. I also don’t get programmers that know nothing other than high level programming API’s. I’ve known some that write networking applications and yet don’t know what a TCP port is.
System administrators should also be good programmers and programmers should be good system administrators. The two are not mutually exclusive.
That said, I work as both a systems administrator and a systems programmer. There are some users that shouldn’t be allowed to do anything other than run a web browser. Then there are users that I trust to admin their own machine. It really depends on who. Having some draconian one-size-fits-all security policy does not and will not work.
By the way, the noexec flag to mount is _not_ a security feature. It has no real enforcement, and its sole purpose is to prevent the accidental exec’ing of binaries from different architectures on NFS mounts.
“Part of writing software _is_ tinkering. Frankly, I hate system administrators that couldn’t write a program to save their lives. Their entire schema of how things actually work is really off base most of the time. I also don’t get programmers that know nothing other than high level programming API’s. I’ve known some that write networking applications and yet don’t know what a TCP port is.
System administrators should also be good programmers and programmers should be good system administrators. The two are not mutually exclusive.”
That I can agree with to an extent. The issue comes in to where the programmers are not responsible for their systems..meaning if it breaks cause of something they did, it is the sysadmin’s responsibility to fix it. That is where the issue comes in. You sound like one of the few that has a clue, and I can respect that. Most I have met ask me questions like ‘How do I set an environment variable?’ That is one of the most basic items, yet most programmers I have met do not have the basic idea how to set one.
Part of writing software _is_ tinkering.
Not only that, but part of software development sometimes involves locating better tools that can make the process of software development easier and testing them to make sure they actually do the job.
I can use stock things like vi, diff, and grep for everything, but I’d rather use things like eskil and Nedit+ctags, and I vastly prefer Midnight Commander to a vanilla ksh prompt for file/directory management. The gains in my own personal productivity from using those things are fairly significant.
> I’m a software developer, and I want a) admin rights,
> and b) the right to reinstall my os image at-will. It’s
> my job to understand how all the little pieces fit
> together, and it’s your job (as sysadmin, which is what
> I’m guessing you are) to assist, not hinder.
I don’t think the article was specifically talking about developers. For non-developers, locking a box down seems quite a good idea to me.
It is a good article, though I have some issues with allowing engineers to install software.
I’m a software developer, and I install software, but NOT haphazardly. I only install what I need.
Unfortunately, I have to do this, since the company standard XP desktop only provides me with a fairly basic set of office applications on the Windows side and a basic set of development tools on the Sun and Unisys servers, and in my case their selection of tools simply do not cover all of the bases I need to cover.
Note that I only install software on my own desktop and the various DEV servers I work on — QA and PRODUCTION servers are not touched without following due process (e.g., the company installs all of the software on those boxes).
There is no reason why someone needs to be able to install their own software at any place of business, since any changes to computers need to be approved through IT, since IT is the ones that are responsible to make sure the machine works, not the user who is installing software.
We don’t have time for that. At a large multinational company, the process to approve a software package can take up to six months (or longer!), and we’ve had projects appear, get written, and then be cut over into production in a shorter period of time.
If I didn’t install things like DDD, ctags, NEdit, KDiff3, Cygwin, Teraterm, and other similar tools on my own, I simply wouldn’t have them, but as it is I can install them on my own with the sysadmins blessing as well as the blessing of the PC support group (I support them myself, and if I hork up my PC they will simply put a standard image back on it).
Edited 2006-08-30 18:21
“Unfortunately, I have to do this, since the company only provides me with a basic set of office applicatiosn on the Windows side and a basic set of development tools on the Sun and Unisys servers, and in my case their selection of tools simply do not cover all of the bases I need to cover”
To that I think your IT department is not doing it’s job. I am at a small company now, having worked for big companies in the past. Even at the big companies I made it a point to know what software was required per department and or function. If a machine comes in for a person they get it once all the software is installed so they should not need any more, though it happens rarely if a new tool is available. That way you would have all the tools you needed. I can even concede that my position is not needed at a development house, as they don’t really need a sysadmin.
To that I think your IT department is not doing it’s job.
Yes, I would agree. I’m slowly trying to overcome the level of organizational inertia I’m encountering, but it takes a while to locate the sympathetic ears. 🙂
Since they’re allowing me to install my own stuff when I can, I’m able to overcome most of the limitations in the short term.
If these people have web access, they can use web applications like mail, chat, etc.
The job of security should be to prevent damange to the system not to enforce fiats of upper managament that state that no user should ever be able to play Solitaire (or even DOOM 3) on their office desktop… As long as an apllication can be installed in a way that it doesn’t affect anything outside the installing user’s own account (which is the only PROPER way to create an App installer anyway) there is no LEGITIMATE reason to restrict people from installing that software. Articles like this should be squashed and destroyed rather than published OSNews. The corporate and educational IT establishment and their controlling ways need to be wiped off this planet, not encouraged.
That said, everything I said applies more to schools than it does to companies. I can see situations where companies might need to control, in a limited fashion, the software that gets installed, but keeping schoolkids from playing games in the computer labs and stuff is just plain uncalled for.