Reasons for an academic to need administrator rights on work computer

Question

Questions related to this in a not specifically academic setting have been asked elsewhere, notably Should developers have administrator permissions on their PC? and Should dev be admin on their computer? My question relates to my job as an academic at a (UK) university.

I moved to using Linux at work so that I did not have to have my computer managed by my university's IT service. This is purely because they are poorly resourced/managed and so addressing small problems takes a very long time. I might, for example, have to wait several weeks for a piece of (free) software to be installed. This imposes unacceptable (to me) delays on my research. They are now changing University policy such that all PCs connected to the network are managed by IT (reasonable), backed-up (reasonable) and local admin privileges are restricted to those who can demonstrate a genuine need for them (reasonable, but I am unwilling to go back to not being able to make progress because of them).

I am confident that one way and another in the end I can persuade them of my need -- but I would like to avoid the delays, meetings, and aggravation this will involve.

What are good, unarguable reasons, that I might need local admin rights. I'm currently thinking 'compiling code written by my co-author' but I might need something more concrete. They will not know enough about my research to know what I might actually need or not.

Linux can be configured to allow the ability install and run software as a unprivileged user (in at least some cases even using a package management system), so just that need is probably not a very strong argument. — dmckee --- ex-moderator kitten, Nov 20 '16 at 22:10
What is wrong with the reasons in your second paragraph? And why would you ask us for a "single best" reason, when we can't really determine whether this reason applies to your situation. — 101010111100, Nov 20 '16 at 22:11
@101010111100 Good point. I have edited it to say "good reasons" instead of single best. For whatever reason, IT refuse to accept that their support is not good enough, thus this argument is hard to make in practice. — dothyphendot, Nov 20 '16 at 22:15
@dmckee To clarify, it's not that I don't think that with suitable support I couldn't manage without admin privileges-- rather, that I don't want to put my research at risk because IT are under-funded/poorly managed, etc, and thus don't in reality offer suitable — dothyphendot, Nov 20 '16 at 22:16
Are you allowed to run virtual machines in which you have admin rights? — CodesInChaos, Nov 21 '16 at 09:41
@CodesInChaos -- to my knowledge not connected to the network. — dothyphendot, Nov 21 '16 at 11:35
@dmckee I think you are wrong. There's a lot that you can do as non-privileged user, but not all. For example: You want to use a database engine. You can download the portable version. But it turns out it needs some library to be installed. You install this library locally, but it turns out this library needs other library. This library can only be compiled using C++ compiler. You don't have this compiler installed. You try to compile C++ compiler using preinstalled C compiler, but the version is wrong, so you need admin to install newer one. You waste a lot of time instead doing research. — nuoritoveri, Nov 21 '16 at 12:05
@StrongBad Yes. Using Eduroam. I do this with (University) OSX laptop which is also going to become 'managed'. The alternative I suppose is to use a personal machine but then I would a) have to buy it and b) have to pay for the necessary licenses which would be very expensive. — dothyphendot, Nov 21 '16 at 14:42
related but not full-answer-worthy: https://twitter.com/walkingrandomly/status/791559409457631232 twitter poll of academics. 79% of polled HAD admin rights, 16% didn't have admin rights and considered it a problem, only 5% didn't have admin rights and didn't mind. — StackExchange What The Heck, Nov 21 '16 at 15:41
@nuoritoveri It’s standard practice among my colleagues to set up a user level system from scratch to avoid these issues. We’re working on clusters so — of course — don’t have admin rights. None of the things we do require admin rights. The one annoyance is that I currently cannot change my login shell but this is just that: an annoyance, not an actual issue. — Konrad Rudolph, Nov 21 '16 at 18:55
Have you considered just letting them do what they want, and then opening a support request every time you need something done? Just aggressively (but politely) follow up on every request until it gets completed, and complain up the chain of command if it doesn't get done in a timely fashion. If you really need the rights, that's the best way to prove it. — barbecue, Nov 22 '16 at 02:47
@barbecue i suspect that eventually this policy will slowly be dismantled due to exactly what you describe. But, it would be very costly to me to be subject to it in the meantime, and the meantime given their past record could take a while! — dothyphendot, Nov 22 '16 at 09:05
When I write scientific code to test my theoretical results or to implement a method I am studying, I become, for all intents and purposes, a developer. Therefore all the arguments from the related StackOverflow question come into play, which was overwhelmingly answered with 'yes'. — cfh, Nov 22 '16 at 11:49
Either there's something which you need to do, and can't do without admin rights, in which case you know what it is. Or there isn't, in which case you don't need admin rights. — jwg, Nov 22 '16 at 14:15
@jwg In a well functioning system sure, but in the system I face, where obtaining rights once I give them up might take over 6 months (that's what it recently took another colleague under the old system) if it is possible at all , it's reasonable to want to avoid all of the loss of productivity associated with that possibility. — dothyphendot, Nov 22 '16 at 22:17

score 49 · Accepted Answer · answered Nov 21 '16 at 09:34

49

So far, I have only come across one reason for needing something close to administrator rights on a fixed department machine: using scientific software.

When you start using a new scientific piece of software, you often have its source code, and need to build it first. Typically, there is no documentation of what exact packages in your Linux distribution are needed (as this changes over time, and there are many Linux distributions as well). So the process is:

Try to build
Identify the cause of error (installing new software, updating the compiler, ...)
Fixing the cause of error (requires administrator rights
Repeat steps 1-3 many times until done.

You can only move towards the respective next issue when one has been resolved. It is unrealistic to assume that you can give an admin a list of required packages upfront,

Without admin rights and an admin reaction time of, say, ~6 hours, this process may easily take a week. With admin rights, the process will be much faster.

BTW: When you start using scientific software professionally, there may be more packages that you need to install (LaTeX, screen, ...), so the process continues.

If you tell the IT people that this is the (unavoidable) process with most scientific software, and you will need to work with ~10 such tools during your PhD, then you should have a good point. On a technical level, there may also be the possibility for "admin light" access, namely by whitelisting your username for "sudo"ing a package installation request. Perhaps that is an option as well in your case.

answered Nov 21 '16 at 09:34

DCTLib

15,060
46
66

5

This is an excellent suggestion -- admin light rights such that I am able to install scientific software would address my key concerns. Although I would still be at their mercy for anything else (6 hours is very optimistic -- my last request took 2 weeks!). – dothyphendot Nov 21 '16 at 11:43
8

Sorry but none of this requires admin rights on a Linux machine. On OS X, sure. The only conceivable use of admin rights might be to change the default shell so that no default configuration is loaded but that’s strictly optional. – Konrad Rudolph Nov 21 '16 at 18:51
@KonradRudolph even if this does not quite cut it for my Linux machine, knowing that it will for my OS X laptop is also very useful. – dothyphendot Nov 21 '16 at 21:17
I had to hand-hack my .tex install. – Joshua Nov 22 '16 at 00:30
"Repeat steps 1-3 many times until done." I am getting back-flashes. – Keine Nov 22 '16 at 07:21
8

Not sure why this is up-voted so much - as various people have pointed out you DO NOT require admin rights to install software in Linux and in fact it is very bad practice to have admin rights for no reason... I work in IT and people doing stuff like this is the main cause of viruses/ransomware running rampant. Permissions should be the minimum required. – Milney Nov 22 '16 at 11:46
It is possible and encouraged to build software as an unprivileged user. When building from source is too cumbersome or reproducibility is important tools like Guix can be used, which also do not require admin privileges. – Nov 22 '16 at 11:59
1

@Milney: because this might not be something the IT is willing to do on a per-user basis. It might be easier for them to give administration rights straight away. If I were the original poster, though, I would also argue that I can be trusted. I have not seen any colleague facing problems such as viruses despite all of them having root access on their machine. – Lucas Gautheron Nov 22 '16 at 18:01
5

@Milney No, but we need a decent packaging system that allows users to install software, otherwise a simple sudo apt install somesoftware may turn into hours or days of reading the instructions, compiling, missing prerequisites and dependency hell. Can we at least agree on this? Guix, mentioned above, seems promising (but I am not sure how it handles dependency conflicts with the local package manager). Give academics such a packaging system and I am sure no one will ask for root access anymore. – Federico Poloni Nov 23 '16 at 07:21
2

@Milney The rationale behind this answer is essentially what Federico wrote. You can of course install your own version of gcc/clang locally together with all required libraries. It just takes a long time (dependencies) and when something during the process doesn't work (compilation error messages, etc.), it is terribly difficult to find the culprit, especially since libraries and programs may use build tools that you are not familiar with (e.g., how do you tell Cmake where to find a custom-built library? Lots of documentation to be read to fix this). [...] – DCTLib Nov 23 '16 at 08:45
[...] Requiring a researcher, who actually wants to do research to get familiar with all the Linux build tools means days or even weeks of time spent that could be spent on research. Sure, the necessity to learn this may arise later, but I've also never heard of someone getting a virus from an "apt-get install" without adding custom package sources. – DCTLib Nov 23 '16 at 08:48
@DCTLib Some programming language-specific package systems (Haskell's Cabal, Python's pip) can install packages in the user's home directory. For others: it's not that hard or error-prone to configure build tools to pass "-I${HOME}/include" and "-L${HOME}/lib" as flags to the compiler resp. linker, or set the PKG_CONFIG_PATH appropriately, etc. etc. As Milney points out, there is absolutely no need for root privileges to use dependencies. It makes it easier, yes, but often only because software distributors don't write the installation manual with security in mind. – Rhymoid Nov 23 '16 at 16:13
In other words, you need to perform developer task, effectively meaning you need the permissions that any developer would need. – jpmc26 Nov 23 '16 at 22:27
So why not get them to give you permission to use apt-get then? Note: This is NOT the same as ROOT – Milney Nov 24 '16 at 10:06
@Milney Yes, this is what I proposed in the very last paragraph of the answer. – DCTLib Nov 25 '16 at 13:59
@DCTLib Indeed, i upvoted your answer, I was reiterating this to the other people in these comments who are still insisting root access is needed in their responses for some reason – Milney Nov 25 '16 at 14:01

score 34 · Answer 2 · answered Nov 21 '16 at 06:34

34

Actually, I don't think the most important thing to convey to the powers that be is that you have a valid reason to have admin rights. More important is to convince them that you will handle the admin rights in a responsible way.

The trick is to convey the latter while ostensibly writing about the former.

Think about it from their point of view. They are tired of distracted professors causing security risks and decided to draw a clear line in the sand.

In your one or two paragraph request, you need to come across very knowledgeable and with excellent judgment. Also indicate you would ask for help if in ANY doubt about anything.

It would be ideal if you could find an ally on the inside to support your request.

answered Nov 21 '16 at 06:34

aparente001

38,999
8
65
153

4

I sympathise with their problem, they need to protect both themselves and overconfident users. I can easily imagine were they resourced/managed I might be more willing to trust them to manage my PC for me. I have had such rights, under the previous system (which required me to demonstrate that I knew what I was doing, to waive some rights to technical support, and to take responsibility for things going wrong), for over 10 years. But, the new policy is now much more restrictive, and they are not better resourced. – dothyphendot Nov 21 '16 at 11:40
1

Ex IT manager here... If someone tried to convince me they would be responsible, I would ask how? If they didn't come up with a good reason on the spot I would be done talking to them. This isn't really an answer but a comment, and one that could cause the OP more issues. – blankip Nov 21 '16 at 18:15
"handle the admin rights in a responsible way" without exception includes NOT installing unapproved software on the system. Especially freeware. So the OP should definitely not use the "install software" capability in any of their substantiation for needing admin privileges. Which unfortunately, seems to be the only reason the OP wants admin privileges. Thus, the OP probably needs to learn how most of the world works and live with the delays or learn to plan ahead and request installation of SW well ahead of it being needed. – Dunk Nov 21 '16 at 19:34
39

@Dunk Yeah... You're not an academic, are you? – David Richerby Nov 21 '16 at 21:03
@Dunk What do you mean by freeware exactly? The OP is talking in large part about Linux. We're not talking about installing freeware, as I understand it, but primarily free software. – cfr Nov 22 '16 at 03:13
10

@Dunk - Even in private industry, there are companies where software engineers are not assumed to be idiots and are given admin rights on their computers. Obviously, even in enlightened work environments, if someone is seen to exercise poor judgment, then he is given a shorter leash. – aparente001 Nov 22 '16 at 03:57
This is exactly how it works in the University where I am at. I don't think IT really cares why I need admin rights per see. Other than being able to articulate the reason being a good indicator that i know what I'm doing. – joojaa Nov 22 '16 at 07:54
4

When I was in this situation it was important to stress that I would NOT ask any questions; the only support I could get after getting admin rights was getting my computer restored to its original state. That was fine with me. Otherwise they are afraid of getting too many questions on things they never decided to support. – RemcoGerlich Nov 22 '16 at 10:06
@cfr - Re:"We're not talking about installing freeware". The OP said "have to wait several weeks for a piece of (free) software to be installed.". From Wikipedia - "Freeware is proprietary software that is available for use at no monetary cost." What part isn't freeware that we are talking about? – Dunk Nov 22 '16 at 14:39
@aparente001 - It isn't a matter of thinking the software engineers are idiots. It is a matter of protecting the network and most software engineers don't know the vulnerabilities present in the various applications that are out there. That's the reason for getting IT approval for being able to install applications. They are supposed to be subscribing to services that keep track of applications and known vulnerabilities. Obviously, the assumption that "software engineers" are not assumed to be idiots is inherently wrong, judging by the large number of data breaches that occur all the time. – Dunk Nov 22 '16 at 14:48
@Dunk Freeware, like open office, linux, gimp, LaTeX, TeX, python, Octave, Torch, Java, CDK, CellProfiler, Abalone, Chromium, Cling, BSD? The fact is every network can be compromised; you cannot have a reasonably large organization with a firewall of "unsafe" between it and the internet, and actually expect to make everything inside secure. Vulnerabilities appear in all software. There is no true scotsman. – Yakk Nov 22 '16 at 14:54
6

@Dunk 'Free software' is not the same as 'freeware'. The definition you quote applies to freeware. It does not apply to free software. Free software is not proprietary. Linux is free software. It is not freeware. The same is true for GIMP, LaTeX, TeX, Python, Chromium, BSD etc. (Not sure about the others listed in the previous comment, though Java certainly can be free.) You are talking about free as in beer. I understood the OP to be primarily talking about free as in freedom. The LaTeX packages I've published are free software, but they are certainly not freeware. – cfr Nov 22 '16 at 15:51
3

@blankip : Also an IT ex-manager. If an under resourced IT shop told me their panicked, draconian policies were going to be deployed responsibly and efficiently, I'd ask "How?" If they came up with the same answer they had been using for years defending their inability to respond in a timely fashion, I would be done talking to them. "I'm right because I'm right" is very popular stupidity in underperforming IT shops. – Eric Towers Nov 22 '16 at 15:59
@cfr - being that there is no 'authority' who decides what is 'freeware' and what is not then I can't disagree with your definition. All I can say is my definition of 'freeware' is looser than the Wikipedia definition. Too me, any software that can be downloaded and used for 'free' which includes Linux, GIMP etc....is freeware. – Dunk Nov 22 '16 at 16:01
5

@Dunk You were the one who quoted Wikipedia's definition ;). You asked which part of it didn't apply. As far as I know, that is the generally accepted definition. In any case, if you mean 'freeware' in the broader sense, your claim that freeware is generally a source of trojans and malware is obviously false. If the OP really means 'Windows' when they say 'Linux' and 'freeware' when they say 'free software', then your claim has merit. Otherwise, not. Note that RHEL is freeware according to your definition, even if you pay for it because you can download the code etc. for nothing. – cfr Nov 22 '16 at 16:15
4

@Dunk Note that the network itself is subject to all kinds of applications running on it because users can connect their personal machines to eduroam. So the situation is quite unlike those in some settings where there really are protections in place to exclude non-approved software or non-approved machines accessing the network. Typically, a non-managed machine will have a similar level of access, whereas managed machines have direct access to internal resources. From the OP's comments, this seems to be the case currently. So it is really unclear how managing all university machines helps. – cfr Nov 22 '16 at 16:23
@Dunk Oh, please. I'm just a software dev, but if my department had to get IT approval for every library we use, we'd never ship. We literally have about 6 or 7 times as many devs as IT has people (and most of our IT doesn't have the skill set to support devs). Even if you did that, it wouldn't stop the devs from writing code that can be breached, which is where most vulnerabilities come from. I'm confident that the role of academics is similar in regard to needing to cobble together tools to solve their problems. Approving everything is a higher cost than most orgs can afford to pay. – jpmc26 Nov 23 '16 at 22:41
@Dunk And if you're talking about things like Heartbleed, Shellshock, and other recent, very visible vulnerabilities, most of those are in extremely standard software that IT would install as a matter of course without anyone even needing to ask. (A number of them even come installed in the OS out of the box.) – jpmc26 Nov 23 '16 at 22:46

score 9 · Answer 3 · answered Nov 21 '16 at 07:50

The following makes excessive assumptions about what your work entails, but...

Get computing time on an external HPC resource (in the UK that would be Archer or a field specific resource such as DiRAC), as you need compute resource beyond that which your university can provide.
Say to the university that, as HPC systems run on Linux and they update software on their own release cycles, it's necessary for you to have your own Linux-based system that you can update to match so you can effectively develop and maintain the code to run on the HPC system.

This argument is much more convincing if you've already got point 1, or a history of using HPC or similar computing resource, of course.

score 9 · Answer 4 · answered Nov 21 '16 at 07:57

9

At my institution, anyone in the C.S. department can get admin access under the assumption that we need to develop, compile, and test new software (including assessment of various packages). I just got this access last week, in fact. Support/request from the chairperson helps.

answered Nov 21 '16 at 07:57

Daniel R. Collins

36,531
13
99
143

Indeed, this was previously our system too! – dothyphendot Nov 21 '16 at 11:46
1

Normally, you only need sudo access to your package manager in order to be able to develop, except when you develop kernel & drivers stuff. – Dmitry Grigoryev Nov 21 '16 at 13:03
2

There were several mentions of sudo, but what keeps you from doing sudo su -? They could restrict it to a particular program, but then it would either be not very useful or bypassable (for example sudo gcc -E ... -o /etc/sudoers). With package manager access you can always: remove something, replace the kernel, install something that has install time configuration and allows writing arbitrary files. And installing/compiling programs and libraries in your user directory should not be a problem. – Sebi Nov 22 '16 at 12:18

score 8 · Answer 5 · answered Nov 21 '16 at 09:44

I am an academic at a UK university. What you are requesting is not unusual and others have given good answers. There is however another solution which we have for research computers which is that the users have admin rights on their local research machines and have limited internet access on a different subnet which gives these machines the same access to internet resources as guests but does not give priviledged access to internal university systems. This provides the level of internal network management and control which is necessary these days but gives flexibility for researchers. It does also mean that a researcher who also does teaching/admin may need a separate desktop computer as well as their research computer.

The other issue you have to realise is that admin rights are a privilege not a right in this environment. If they are misused you can expect to lose them. I have known this to happen where researchers have set stupid root passwords on their machines or where research students have downloaded illegal cracked software rather than asking for properly licensed installs.

The situation is currently as you describe, my machine has limited access to shared drives, etc, and I have control over it. I'm happy with this compromise. But, the new policy is much more draconian. — dothyphendot, Nov 21 '16 at 13:03

mcottle · Answer 6 · 2016-11-23T05:21:15.243

7

Writing from the perspective of an IT professional (and former academic) who worked for a major University creating a managed operating environment to try and stop this thing - there isn't one. There is a faux-administrator access that gets around virtually any legitimate use of real administrator access so that's probably the best you can (should be able to) expect.

The amount of pain to IT support caused by incompetent administration of computers is incalculable. The number of machines they had to deal with that had been compromised by viruses, malware, bootleg software and a whole host of unpleasantness that you can probably imagine that is a consequence of attaching admin level users to minimally filtered and monitored high speed internet connections.

In order for a University to protect itself from criminal proceedings, it has to be able to control the computers attached to its' network. The "good old days" sadly are over and it is no longer acceptable for academic staff to run torrent software committing massive levels of IP violation / theft from a university owned computer.

Your fundamental problem is not that you need Admin rights. What you need is not to be delayed when installing software. So, what that means is you need a better funded IT department. That is what you should be pushing for.

The IT department should have the resources to "package" software quickly. This means preparing it for safe installation and uninstallation along with any dependencies - like Linux package management but centrally administered. Good package management allows for self service installation so that would mean you'd be piggybacking off of the efforts of the whole University - if anyone else requested a piece of software, it would then become available to everyone and if it was free you could self install with a click. If it wasn't free you could provide approval to release the funds and get it installed automatically.

On a more practical note, if you absolutely have to play with admin level privileges - do it in a virtual machine. Preferably on a cloud based server.

Commercial IT is moving heavily in this direction and if my experience is anything to go by the computer science academics are very out of date in this regard and are not preparing their students for the real world. Look at tools like "Docker", "Bitnami" and "Eclipse Che" to see various examples of the sorts of tools that are available to pretty much eliminate the need for bare metal admin access.

EDIT

A few more points.

1) Academics (generally) do not appreciate how proactive you have to be to secure a network. It's poor use of their time to scour CERT looking for reasons to patch stuff so they don't - with unfortunate consequences.

2) If you have admin access, you will be able to cause much more damage. Click on an e-mail link from a non-privileged account and it's no big deal. Click on one as root and your account be sending a phishing e-mail to the entire University address book within half an hour - causing man-weeks of clean-up for the IT department.

3) There really are no real legitimate requirements for full admin access these days that I can think of:-

Compiling software -> Isolated VM

Running old software -> Virtualized bubble (research "App-V" for example)

4) The advantages of a properly managed desktop are not just one-sided. If your IT department gets it right you will be able to:-

Log into any machine on campus and access your data (and your data will be regularly backed up and reside on a secure fail-safe infrastructure). No more USB sticks with critical and confidential data on them. No more academics in tears because the only copy of their work was kept on a single external HDD that failed.
Have access to that data from a home computer should you need it. Possibly with some caveats (having the right anti-virus installed maybe).
Have a LOT of available space if you need it.
Therefore if your machine fails you will be up & running less than fifteen minutes after the delivery of the replacement (depending on how many non-standard packages you have installed). Boeing has had this for YEARS. It saves them a fortune.
The ability to install (and uninstall) common software without involving IT.
Access to temporary (isolated from the internet) VMs in a secure University owned cloud with admin access to do tasks that absolutely need it. You should be able to stand up a virtual PC in less than 5 minutes and then discard it when you're done.
This technology can also be used to create virtual teaching labs with just the software you need for the class rather than expecting your IT staff to get 9+ units worth of required software to "play nice" with each other in the two weeks before the first semester starts.
Need a long-lived VM to do significant compute over several days/weeks/months? - service request. Possible cost to you if your need is excessive but the cost will be competitive with AWS or MS Azure equivalents.
Less stressed IT support because they're not overloaded cleaning up the fallout from the latest phishing scam so response times should be much better. In fact, you should have a published service catalogue from IT detailing what services they offer, how much they cost and how quickly you can expect a response. This is all standard stuff they should have time for if the environment becomes more controlled.

Seriously, this is a positive move. Embrace it, support it and you will be better off.

edited Nov 23 '16 at 05:21

answered Nov 22 '16 at 09:51

mcottle

188
6

10

Push for a better funded IT... and an unicorn for commuting. You'll likely have the same luck. I am administering my own machine, and I have never needed IT's help, freeing their time to deal with the people that need it. Plus, many academic packages are free for academics, so I can download and compile a copy, but the license prohibits its redistribution, so the university wouldn't be able to include it in their repository. – Davidmh Nov 22 '16 at 12:20
@Davidmh I know it's unlikely that the Unis will come to their senses but we can hope ;). Unfortunately in my experience for every academic that can competently administer their computer, there are at least two who think they can - and can't and even more who lose interest and don't patch regularly. You know, all those boring ITIL things that you pay IT to do so you don't have to :). Generally speaking the costs incurred by giving admin to categories 2 & 3 far outweighs the savings by letting 1 do it their way... – mcottle Nov 22 '16 at 13:25
1

continued... Also, the cost of having a completely chaotic out of control environment dwarfs any other cost. The Uni IT here is probably set to save several IT support person's full by doing this. Hopefully they redistribute them to improve support call response times. Then the original complaint evaporates. – mcottle Nov 22 '16 at 13:29
3

-1. Your ideas appear completely out of touch with reality. You talk about "compromised" computers and assume bad faith in everyone using your network, where in reality a machine not owned by the university has absolutely no difference with an average compter connected to an average ISP. ISPs deal with the "completely chaotic out of control" environment 24/7 with no issues whatsoever. The correct action to dealing with insecure computers is to isolate them from the secure network. – March Ho Nov 22 '16 at 14:48
@ March Ho So your "in touch with reality" remedy is to "isolate them from the secure network" - good luck with that. Try that stunt at a major university and you'll find one of the computers you've locked out for being an Estonian spam relay is owned by a personal friend of a senior member of the government who then calls your VC to complain about you, personally - or so I've heard ;). Also, ISPs have no responsibility for you intranet or the software you run - just the pipe. Uni IT is responsible for everything from your keyboard to the final pipe out of the campus. TOTALLY different. – mcottle Nov 22 '16 at 15:35
2

@mcottle users can always install a VM with root access and do all the bad things that you want to prevent them from doing, and having it as unpatched as they may want to. (And you cannot forbid using VM since they are, sadly, a very common ways of shipping academic software). Cloud based solutions aren't an option when you need to process TB of data. – Davidmh Nov 22 '16 at 15:46
@Davidmh - You're actually way better off with your heavy compute in the cloud. Cheaper, faster, more flexible in our experience. Our cloud compute had direct access to our NetApp vFilers. You saved your "TBs of data" to your home directory (mapped to the vFilers - available everywhere not just your computer - login cross-campus all good), dialed up the Cloud compute and pointed it at your data. It had fibre channel access to the vFilers and was darn near as quick as an external HDD. – mcottle Nov 22 '16 at 15:54
4
How does not having admin rights (or having them only in a VM) prevent me for running torrent software? 2. If a workstation in your network can become an Estonian spam relay, then there is something very wrong with your firewall configuration.

Federico Poloni

Nov 22 '16 at 20:23

1

@FedericoPoloni 1. By blocking VMs from the internet. 2. Not mine, theirs :) If the reason for admin is to compile software, you can download the source from your locked down desktop, save it in a shared location the VM has access to and compile it in situ. That's not a reason anymore. In windows-land you can even package an application and run it in a virtual bubble with admin access. So the user doesn't get admin - the app does. All this talk about admin is SO last century and shows a) how out of date academics are with IT state of the art and b) Why it would be mad to give them admin – mcottle Nov 23 '16 at 04:44

Point #4 is nice in theory, but good luck on that in practice. I've been an academic at some great institutions, but IT is always underfunded and outgunned, particularly for personal machine support. My last institution could adequately be described as the best private school in the state, and while we had amazing Linux sysadmins that managed our research servers, all of our personal machine support started with a call to a help desk staffed with undergrads and took days to weeks to resolve simple issues. – David Nov 23 '16 at 05:38

@David Yep, but if you get the environment under control, the same amount of IT spend gets you much better service. The roadblock is usually a bunch of academics wanting something they don't need (e.g. admin access) and then having a hissy fit that would have shamed my three year old when they're told they can't have it. Logic does not come into it sadly. At least 80% of the University would be much better off with a locked down desktop as I've described and exceptions who do need something special can usually be accommodated without giving away the keys to the kingdom. – mcottle Nov 23 '16 at 05:56

3

@mcottle I've been in IT and I've been in academia. Throwing out ignorant statements about who is the "roadblock" is a 100% guaranteed recipe for institutional failure. Believe me when I say that I've dealt with academics throwing hissy fits. But, the function of the research university is to enable research. Research is what pays the bills and keeps everything going, and IT throwing up roadblocks to effective research is never a valid solution, even on the theory that things will be OK once everything is "under control". If the current IT situation does not give you #4, you don't have it. – David Nov 23 '16 at 06:04

@David it's chicken and egg isn't it? In a corporate, an SOE can be imposed by the CEO and all resistance is steamrolled. After the dust settles, most of the original holdouts realise they're actually better off. Unis don't work like that so you have to fight for years trying to persuade, wasting huge amounts of money trying to save even more. My point is that if you have a well managed IT environment, the impact on research is actually minimal. The reason Universities don't have them is ignorance and politics. – mcottle Nov 23 '16 at 06:28

3

@mcottle The reason that universities don't function well is because the people there are stupid and stubborn? You sound like you have very little experience with either university IT or with corporate IT. I'm not sure which. – David Nov 23 '16 at 07:01

Let us continue this discussion in chat. – mcottle Nov 23 '16 at 07:44

The ability to install (and uninstall) common software without involving IT. But it's the uncommon software that's precisely the problem (software to analyse data from a piece of kit that only outputs a proprieatary format). This is made worse by the fact that they don't even provide a lot of common FOSS like GIMP, inkscape in many places. – Chris H Nov 23 '16 at 11:27

I similarly disagree with this comment. As the head of the technology department at two different universities I was given full admin access to our entire network both times. IT never had a problem with me, especially since I could troubleshoot issues on the spot without calling in trouble tickets. – Raydot Dec 01 '16 at 18:24

@DaveKaye - The head of a technology department has to be an extreme edge case. My point is that MOST academic staff do not need admin access to their computers and that on the whole it is more costly to provide it and clean up the messes than to lock it down and deal with the increased load on the support staff. There will always be exceptions. There will be very few of them that cannot be served by admin access to an isolated VM. Also, look at the original question, OP was fishing for plausible reasons to keep root access to a Linux box because they couldn't think of any. I rest my case – mcottle Dec 02 '16 at 03:29

@mcottle, indeed most don't. But some do. Extreme edge case or not. If the university IT is not responsive and an individual prof can handle his/her computer in a responsible manner what difference does it make? I used to give out this privilege to any faculty I trusted. Very quickly revoked if abused. My point being "lock first, trust second" is a nice abstraction but I'm not sure how useful it is for computing in an academic environment where the needs can change from prof to prof, semester to semester and even day to day. – Raydot Dec 02 '16 at 19:10

score 4 · Answer 7 · edited Apr 13 '17 at 12:37

4

What bothers me most in this IT policy is the requirement that "all PCs connected to the network are managed by IT". Since you claim to have installed Linux on your computer without the help of IT, I doubt it is managed by university's IT service at all. Since you've had unrestricted admin access to to your machine for some time, there is no reasonable way for the IT to enforce any policy without reinstalling whatever system they are able to manage (even if it's Linux, it has to be installed by them to make sure you cannot get admin rights in spite of their restrictions).

Note that if your IT support is unprofessional enough to simply change your root password, you'll still have admin access to your system via sudo or by setting setuid attribute on commands which need admin rights.

edited Apr 13 '17 at 12:37

Community

1

answered Nov 21 '16 at 11:31

Dmitry Grigoryev

5,440
13
36

3

The policy is that they are going to reinstall/reconfigure Linux to ensure that they have the necessary controls. I agree that this is unreasonable! – dothyphendot Nov 21 '16 at 12:58
3

How does this answer the question? – David Richerby Nov 21 '16 at 21:09
@DavidRicherby the implied answer I got from this is "Don't worry about it, they can't enforce the policy" but it definitely could be clearer. – barbecue Nov 22 '16 at 00:59
This type of policy is usually enforced by firing those breaking it. – Stig Hemmer Nov 22 '16 at 08:47
@StigHemmer I'd expect the machine to be removed from the network in the first instance. – David Richerby Nov 22 '16 at 08:53
The network at my institution is whitelisted, so only computers blessed by IT can connect. They can definitely enforce it. – Davidmh Nov 22 '16 at 12:00
@Davidmh How does this whitelist work exactly? If it's based on MAC addresses, then it's trivial to get around it. – Federico Poloni Nov 22 '16 at 18:26

score 4 · Answer 8 · answered Nov 22 '16 at 11:56

4

As a system administrator working in an institute there really is no reason why users should have admin privileges. It is possible for users to request specific privileges in exceptional cases, but this is a whitelist approach and won't give you full admin rights (e.g. users may get the privilege to restart a pre-defined service, but won't get enough permissions to start a privileged shell). If the workstations are under IT management this likely also means that any changes you perform as an admin will be overridden anyway (e.g. when using Puppet or Chef for configuration management).

For the installation of scientific software I recommend GNU Guix, a reproducible, user-controlled functional package manager. We use it at our institute on the HPC cluster and user workstations to enable users to install all sorts of scientific software. To install software with GNU Guix a user does not need admin privileges.

answered Nov 22 '16 at 11:56

1

Same caveat I already mentioned elsewhere: macOS (and, I believe, Windows) is still essentially bricked without admin rights. Most things will work (once something like Homebrew is set up) but every once in a while lack of admin rights can be a problem. I know of an institute that doesn’t usually give users admin rights on their Macs and it’s a real nuisance. However, you are spot-on for Linux. – Konrad Rudolph Nov 22 '16 at 12:53
@KonradRudolph Windows isn't bricked without admin since XP. Lots of options exist these days. A well administered Active Directory and package management system can do wonders. Apple is more problematic because it is not designed for use in a professionally managed environment (that was a quote from APPLE before you flame me :) Casper helps but I still think there may be issues. If I had my way I'd wipe the lot of them and get them dual booting Win/Linux but then I don't worship at the "Church of Steve" :) – mcottle Nov 22 '16 at 15:43
@mcottle In my defence, the the last Windows I have used was XP. :-) I’ve heard other people moan but they may simply have worked on a badly set up system. – Konrad Rudolph Nov 22 '16 at 15:50

score 2 · Answer 9 · answered Nov 21 '16 at 07:31

The best reason for needing admin rights (ran IT for large company for 3 years) is that you have a program that needs to run and be changed often, and this requires admin rights.

What you have outlined in your second paragraph, well it is why we want to keep admin rights from users. I would certainly not tell this to your local school's IT department, as it could cause you to have a harder time in gaining admin rights. The most troublesome part is the free software bit (which many times could have attached trojans or malware), to go along with the fact that you might use your admin rights to turn off your security software.

You are much better off coming up with a specific piece of software that you must be admin to run or make config changes (often). A better way to handle this - and this is up to your local IT's ability - is to set up a VM and have admin access to this VM environment.

For instance when I used to compile a lot, I liked to do so in my old XP VM environment with 512MB allocated. This might take longer but I could do other things while compiling.

As for everything else you said, it doesn't make sense. The risk of working on projects is losing information. Find a way to back things up through drives or online. I don't see how this has anything to do with your IT. Acting like your IT's lack of ability is hurting your research or projects just sounds far fetched.

Comments are not for extended discussion; this conversation has been moved to chat. — eykanal, Nov 23 '16 at 14:03

score 0 · Answer 10 · answered Nov 23 '16 at 06:10

What are good, unarguable reasons, that I might need local admin rights.

One bulletproof reason for having admin rights is that you develop and test new OS kernels.

Even if they only give you access to modify the boot loader you can get bonus points for writing your own system call that sets the current process ID to root.

score -1 · Answer 11 · answered Nov 23 '16 at 21:06

-1

Just say that you want to install Linux and that you will waive any requirements for technical support in writing to their superior and to yours, though you hope they might help if the need arises.

answered Nov 23 '16 at 21:06

Marxos

900
4
14

This looks like you did not read the question. The OP is already running Linux, and wants to respond to a new change in University policy. – Wildcard Nov 07 '18 at 01:05

Reasons for an academic to need administrator rights on work computer

11 Answers11