16

Someone asked me to create a site for their online business which I did, handling a lot of the development myself. After I created my account on the site I told my employer "Hey, the site is ready you can create an account for yourself now." He did and I gave him some administration privileges from my account.

Then Mr. Showoff told him "Dude, I have root access to the DB which means I can do anything on the site."

He was interested and wanted root access to the DB which I declined. I said it was a bad idea because he doesn't know anything about DB administration or system administration and this can be a security risk. For example, it may conflict with the Principle of Least Privilege or he may accidentally run some dangerous command he doesn't know about.

However, he still thinks that he should have this access because he is the boss.

How can I handle this? Should I not care and give him access for no reason?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Henry WH Hack v3.0
  • 2,109
  • 2
  • 23
  • 37
  • 1
    First check your own organisation process on the root access granting policies. It should be about "emergency access" conditions. Imagine you are not available, how will the next delegates admin going to gain access. – mootmoot Nov 02 '18 at 12:51
  • Can he assume you give him the password if he decides to fire you without notice? – Philipp Nov 02 '18 at 14:15

5 Answers5

27

He is the Data Owner. Not you. If you get hit by a bus, he will need access. You should absolutely give him access. This request is not a surprise at all. If you built a website for me, I'd ask the same.

BUT, and this is the important part, you also cannot be competing with him for the administration of the database. You are the administrator, not him. He gets access, but he cannot use it. Once he does, then you are absolved from responsibility for the database. This bit you need in writing and it needs to be clearly understood. And then you need to log his access.

I completely agree that you should not be fighting for root access, but you can still provide the Data Owner access without competing for control.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 3
    Exactly this. Unless there is some sort of weird joint-ownership going on (which does not seem to be the case given how it was described in the question), the owner needs to have the ability to take control of his systems if something were to happen to the developer. The owner sounds more interested in a power play than business practicalities, but his request is still perfectly valid. It is unlikely that he will actually do anything anyway. – Conor Mancone Nov 02 '18 at 20:23
  • 2
    I gave the owner of my company protected access to all system access credentials. He wouldn't know what to do with it even if he wanted to. But if I got hit by a bus he could bring in a competent developer and they would know what to do. It would make me exceedingly uncomfortable to work in any other way (either with him actually accessing the database, or with him having no way to access the database). – Conor Mancone Nov 02 '18 at 20:24
6

Been in this position a million times. Just explain that he could inadvertently break something if he's not careful and give him the logins as he does own it. Make sure to do a db dump before so you can restore if he does break it (for a fee of course).

MikeSchem
  • 2,266
  • 1
  • 13
  • 33
  • 6
    I would highly recommend doing the explaining in writing. That way you have your back covered when things go south. – Anders Nov 02 '18 at 11:41
2

You should review the agreement with him (if you've any) and clarify such things. If he fully pays for the servers and you've created the website with full rights transferred to the client, I don't see the reason why you shouldn't give him the credentials as in few years time you could be busy with another project, and he can find another company working on it. If you pay for the server, you can create a dedicated SQL account with limited admin rights (e.g. preventing dropping the tables or database), as it's your server and you don't want to expose to unnecessary security risks. In both ways, always make sure you have a daily backup.

Ideally, if you're creating the website with full rights transferred to the client, you should provide all necessary credentials during the handover in a formal way on completion of the project (a Word file or printed document), or point to the right software handling these (e.g. password manager, KeePassX or encrypted file, Keybase, Ansible Vault, etc.). By handling these details, he should accept the risk, and you should be no longer responsible as far as you did your best securing these details.

kenorb
  • 799
  • 4
  • 8
  • 27
2

Fully agree that if he is serious, and does not take your first "no" for an answer, you need to give him a full reply in writing, of which you keep a well-documented and secure copy on a system he cannot access.

In your reply, I'd summarise the reasons why he should not be using the root credentials, and perhaps a reference to something official (blog, link, book, white paper) to demonstrate to him that your recommendation is standard practice.

Finally, you offer him to give him a sealed envelope, to be kept in a safe or at a bank, with the credentials. If (as is to be hoped) he does not insist, as he is convinced, it still seems good practice that the credentials are available somewhere, in case something happens to you (or even when you are on leave), and it is imperative that someone can intervene.

To be the only person with root credentials; or to use it as a potential blackmail / bargaining issue, is, in my opinion, bad practice, unethical, and gives developers (or whatever you are) a bad name.

henrystrick
  • 31
  • 2
1

For the record, this request concretely does violate least privilege (not just may). The other posters here are all good answers. In your position, I personally would try to dissuade the founder. If that doesn't work, then I would advise him on the risks of database access and, assuming he still wants it, grant it to him (in as limited a way as possible).

As everyone else said, I would document the entire process, including advising him on risks and receiving his informed consent. Depending upon the nature of the data I would consider involving the company's legal counsel.

Despite the way it tends to appear for many people in business fields, root access to a database is a serious thing. It can have legal implications, technical implications, and potentially cause enormous damages of a variety of types. We all know this, but not everyone does, and so explaining the seriousness is an important part of...taking it seriously.

Also, once more for the folks in the back row because it's a biggie: document everything.

securityOrange
  • 913
  • 4
  • 12