
Ask HN: Is it normal for your team to have root access to your workstation? - SaguaroSun
I&#x27;m currently working remotely and I just got a complaint from my team manager because he was unable to log in to my workstation using the root account&#x2F;password that everyone in the company knows. He wanted to use my workstation because it&#x27;s the only one with a webcam and speakers for a conference call.<p>I&#x27;ve never been in this situation. I don&#x27;t have anything to hide but still it feels strange to allow essentially anyone in the company to have root access to the machine I use every day.<p>Is this normal practice?
======
smt88
Not clear to me why anyone is logging in directly as the root account, but
let's leave that aside for a minute.

Tracing activity back to a user or machine is a common way to find out how a
mistake or security breach happened. If your manager uses your workstation,
can you be blamed for something he screws up?

Also, a device with a camera + speakers costs less than $200. A webcam costs
$20. Speakers are built in to almost every machine. If your company doesn't
have enough money (or sense) to equip everyone with conference-capable
equipment, that's not a well-run company.

~~~
SaguaroSun
It's not a literal "root" account. But an account that exists on most machines
that can sudo.

Thanks for the reply!

~~~
blackflame7000
That's much less egregious. It's very common for IT admins to implement
security updates or change virus scanners or policies behind the scenes.

~~~
marcc
It's not really that much less egregious than root. With this shared account,
anyone is able to log in and become root.

There is not audit capabilities when using shared accounts. Using shared
accounts is just bad idea.

------
hluska
This might just be ruffling feathers, but if you work remote why does your
team lead need your machine's webcam?

That said, since this is company equipment, the more rational part of me says,
"Put up with it."

But from a security/auditing perspective, this 'policy' is an absolute
minefield, particularly because it sounds like each individual developer has
to set up this account on his/her own box.

What happens when someone is fired? Does every developer have to change the
password and disable the old account? What happens if one developer is off
sick that day? Will the company keep that hole open until that developer comes
back? Or will they kill off all of the sick developer's SSH keys?

Crap, it's hard enough to provide proper access control and monitoring when
everyone has a unique credential. I can't even begin to imagine what that kind
of policy would look like.

------
eip
>because it's the only one with a webcam and speakers

Lol. I would probably look for another job. Like at a real company.

~~~
richardknop
Exactly my thoughts.

------
ThrustVectoring
Oh jesus christ no, it's not (and shouldn't be) normal. Work activities should
be able to be reliably traced back to the individuals that did them.

------
12s12m
In a typical enterprise, devs usually don't have root access. The IT staff
have root privileges. However, IT staff does not equate to your boss. I
wouldn't personally be ok with something of this kind. However, I don't put
any personal data on my company's laptop.

------
tbirrell
I've worked at places where my supervisor had root access both ssh and a user
account, and we also allowed each other to ssh in for various reasons. No one
has ever been allowed on my workstation as me, though. Hard line.

~~~
AnimalMuppet
Um, can't root su to your user ID? Without a password?

------
peternicky
I don't think this is "normal" in any sense, however, as other have commented,
if this is company equipment, there is usually little you can do outside of
leaving the company.

In my limited experience working in and as a member of enterprise IT
environments, the people specializing in "security" typically seek to reduce
as much as possible, what a user is able to do on the machine. Unless you can
document why you need extra privileges and have management that will support
you, it is a waste of time to ruffle feathers.

------
corobo
If you're working remotely how does having access to your webcam and speakers
help the manager in any way?

Edit: Here's me just now realising you're probably referring to a completely
different desktop in an office that has the webcam and speakers.. I'm gonna
head to bed now :)

------
thisone
why was he complaining to you, that your company workstation, I assume that he
has in front of him if he's trying to use webcam and speakers (sigh), wasn't
responding to some stupidly shared root account?

Along with just about everything else you've said, that's also not your
problem.

------
hunterjrj
You don't specify whether you own this equipment or not. Is it company-owned?

~~~
SaguaroSun
Yes, it is company owned.

~~~
hunterjrj
It does seem strange that "anyone" in the company (by nature of having a
shared root password) can access your system. But if that's company policy,
however unfortunate it is, then you're obliged to follow. Unless you want to
take some kind of moral stance -- which could put your job at risk.

------
assafmo
I think it's ok only if he cannot send email from your account.

There was an Ask HN a few weeks ago about a guy that someone sent an email
resignation letter from him to his boss...

------
Grazester
At my old company the entire of IT had a tech account that gave you basically
root access to all the computers.

I used an OS in a VM for all the things I could have.

------
wizzerking
agree with you. No one except you for sudo purposes should have root access.
Lead should have an account setup on machine for him to access

