[Theforum] What do you want to do ? Faster, evolt, kill kill!

.jeff jeff at members.evolt.org
Thu Apr 18 19:56:46 CDT 2002


> From: Ron Dorman
> > if dan has not excluded or cut off people who are
> > truly trying to help evolt.org, then why am i limited
> > to ftp access only on teo?
> I own and operate an ISP.  No one has shell access to
> our servers except myself and my admins.  Simply good
> security practice.

agreed.  handing out shell access willy nilly isn't a good idea.  i'm not
suggesting that shell access to the entire server is a requirement to do my
job, though there are aspects of my job that would be much easier with
complete shell access.  i do, however, need basic shell access to the

> Any shop I have been in when consulting and designing
> custom code, I had access to a work area with checkin/
> checkout tools to get the code I needed to work on.
> Most of them I couldn't even get the code I was supposed
> to work on until I was authorized by the project
> manager.

in contrast, i've never had to use code checkout tools or deal with an anal
project manager that decided what i worked on and when i worked on it.

we don't have project managers (if we did, i'd sure be "it" for teo) and we
don't use code checkin/out tools so i compare what i think i should be able
to do with what i'm used to.

> When I work on our sites from my home office, I have FTP
> access only.  The only reason I can think of for remote
> shell access is for admin purposes, to restart a dead
> server or service instead of having to drive to the data
> center, and only highly secured access then.

sure, ssh.

there are lots more reasons to need shell access.  changing groups on files
and folders so processes run properly.  copying, moving, and deleting large
chunks of files and/or folders is much easier and quicker to do via shell
access than it is via ftp.

shell access is also important for monitoring server "health" when tweaking
and performance tuning applications.  it can also be important when trying
to debug suspect applications.

> Maybe database - view data privilege to check the data.
> Unless you are designing and developing the db there is
> no need for any privilege beyond data view.

in my day to day job i do both application development and database design.
i see no reason to not do the same here since there are projects that
require the addition or modification of tables.

something that makes this situation completely different from any corporate
setting is that everyone involved is a volunteer.  we do what we can when we
have the time.  we should all do what we can to minimize the need to spend
time to accomplish things.  for example, to require me to go through the
process of getting someone else to add/modify tables for an agreed upon
application so i can begin building it is ridiculous.  it makes much more
sense, since i have database design experience, to let me go make those
additions/modifications when i have a free moment to work on the approved
project.  i'm no longer waiting on someone else.

if there's something i have access for that i don't feel comfortable doing,
i'm not likely to try to do it myself unless it's some form emergency.  for
example, i wouldn't try to install packages in oracle.  i'd leave that up to
dean since he has knowledge and experience to do that.

the argument that i don't need to install packages so i shouldn't have shell
access to the database at all because giving me that access by extension
gives me the ability to also install packages is a flawed argument.  i need
those involved to trust that i'll know where it's safe to tread and where
it's not and not make that decision for me.

> Moving files and folders and changing perms can be done
> with an ftp client.

you can't change groups or owners via ftp.  believe it or not, but i've run
into several instances of needing to be able to do that when working on the

> Restarting services is up to an admin.

if it's a staging machine, the developer should have access to restart
services or even restart the entire machine if necessary.

i have those rights even on production machines at work.

> I always checked with the sysadmin before doing anything
> I suspected might hang a service.

you don't always know when something you're building might hang the server.
unfortunately, it always seems to happen when someone with the right level
of access is around to take care of the problem.  or, if you're trying to
find what is causing it to hang, the person with the access doesn't have the
time or patience to stick around and constantly kick the machine everytime
it hangs.

> If I did hang a service I called the sysadmin.  (these
> are from the consulting perspective, not my servers)

if i hang a service, i kick it myself.  if it doesn't restart, i kick the
whole box.  when it comes back up i continue with my

> For our hosting customers we provide a web interface to
> do restart services but it is all controlled by our
> software, not by shell access.

could work, but we don't currently have these capabilities in place.  what
do you do if the service doesn't restart successfully?

> Tuning also has been an admin task at most clients I
> have been in.  As for ftp account maintenance, any
> kind of access maintenance, generally is a function of
> a security officer or admin working for the security
> officer.

there are a number of settings that can be changed in the coldfusion
administration interface by a competent coldfusion developer to achieve
better coldfusion server performance.  there are also certain things that
can only be setup via the coldfusion server administration interface that
need to be changed at the most inopportune time.  a good example is
debugging options and ip addresses.

> If you really need these things to write code, provide
> proof of need, otherwise they are just "would like to
> have" items,  which have been very difficult to get any
> place I have ever been.

i don't really feel i should have to couch my requests for access as a
hardsell.  i wouldn't even bother anyone with them if they were just a want
and not a need.  in many cases, i feel that asking is information enough
that i need it because it seems like a need so basic to my "job" here.  ssh
access to the database is one of those.  how else can i even get facts about
table design?  even rudy will admit that the most recent erwin output he has
is outdated.

i take the notion that i need to provide proof of need for every request as
a slap in the face for all the effort i've put in since *day 1*.  i know
that's not what you meant, but that's how it feels to me.  i feel like i
should be an equal with anybody else here when it comes to decision-making
and implementation, but apparently others don't feel that way based on the
fact that i ask for what i need and get denied or the run-around.

> I thank you for the question and perspective.  It is a
> good one.  However, it seems to me we have some decent
> security in place.  May not be as extensive and
> inclusive as big corp stuff but decent for our needs
> and from what I have read on the lists, fairly
> responsive when a need arises.  I have waited 4 - 6
> days to get just user login access on some contracts.
> If we have a couple of hours response on most issues to
> a couple days response on a few, we could improve but
> aren't doing bad.

yeah, security at the expense of people having the tools and information
they need to do their job fully, properly, and efficiently.


we're a group of web developers working on a site for other web developers.
we're not storing national secrets on our servers.  we're not storing
people's credit card numbers.  we're not working with the nsa.  there's a
time and a place for security at the expense of people being able to get
their job done, do it efficiently, and enjoy doing it.  this is not that

finally, i wouldn't expect that anybody that's asking to help out with the
cms is going to need the sort of access i'm requesting.  keep in mind that
i'm asking for some of these things as a sort of project lead since i have
the most experience with the code for the cms.


jeff at members.evolt.org

More information about the theforum mailing list