Kevin; Categorically, only your UNIX Systems Administrators should own root. And even that needs tight audit constraints. ....that's the law, and we're done talking about that...
More simply, I understand your issues with WebSphere on UNIX / Linux. We've been thought this debate ourselves. First and foremost, every command typed must be auditable. Our conclusion is that unless the WAS Admins can tell you exactly and every command they will type as root, then they can't have it because server security would not be absolute at that point. Conversely, if they could tell you exactly / every command they would type, then it should be scripted in the first place. So that leaves the question how do you do WAS Admin tasks that require root? If you brake it down in to absolute tasks, there really shouldn't be that many apart from upgrades. Although it may require additional cooperation between WAS Admins and UNIX Admins, (when was that a bad thing) we've found that root was required far less often then suggested. The result is a more secure and efficient operation, with better communication. Cheers; E! ----------------- Eric Wilson MIS Consultant MSG ST&O Anheuser-Busch Companies, Inc. One Busch Place 1CC-8 St. Louis, MO 63118 The information transmitted (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is intended only for the person(s) or entity/entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient(s) is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Sal Torres/SBC Inc. Sent: Wednesday, 10 November, 2004 14:34 To: [EMAIL PROTECTED] Subject: Who should own WebSphere? *** Reply to note of Wed, 10 Nov 2004 14:00:36 -0500 (EST/CDT) *** by [EMAIL PROTECTED] We did not have any problems. sal "Kevin A. Schmidt <[EMAIL PROTECTED]> writes: >We are currently running the WebSphere Application Server (version 5.1) on >a Linux for zSeries image. > >Since the installation requirements were to run the install process using >the "root" id, WebSphere is currently owned by "root" and is started and >running under a "root" id. > >We are aware of the documentation that shows how to go about changing the >ownership of the WebSphere directories and files. However, we have been >reluctant to change the ownership in case there are sideline issues that >would cause problems if ownership was transferred. > >I would like to find out: >1) If anyone switched over to a user without "root" authority and if they >have had any problems. > >2) For those people that did not switch over, what drove the decision to >keep WebSphere running under "root". > >Kevin Schmidt >Supervisor, Systems Programming >PHI Services Company >room 3609 >701 9th Street, NW >Washington D.C. 20068 >phone: (202) 872-2081 >cell: (202) 744-5714 >fax: (202) 872-2252 >email: [EMAIL PROTECTED] > > >This Email message and any attachment may contain information that is >proprietary, legally privileged, confidential and/or subject to copyright >belonging to Pepco Holdings, Inc. or its affiliates ("PHI"). This Email is >intended solely for the use of the person(s) to which it is addressed. If >you are not an intended recipient, or the employee or agent responsible for >delivery of this Email to the intended recipient(s), you are hereby >notified that any dissemination, distribution or copying of this Email is >strictly prohibited. If you have received this message in error, please >immediately notify the sender and permanently delete this Email and any >copies. PHI policies expressly prohibit employees from making defamatory >or offensive statements and infringing any copyright or any other legal >right by Email communication. PHI will not accept any liability in respect >of such communications. > >---------------------------------------------------------------------- >For LINUX-390 subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit >http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
