Ask HN: Does your org disallow sudo on your dev machines?

1 pointsNikhilVerma3y ago5 comments

Recently my org decided to disallow sudo/admin access to all employees on their laptops. So basic things like updating the OS, updating VSCode need to go through an approval process.

I've never experienced a policy like this in any of my previous companies and it's incredibly frustrating.

Do you experience the same with your org? Do you have any success stories of getting through the red-tape and get permanent admin privileges? I am genuinely confused, perhaps it's a common occurrence across other IT companies and I am just oblivious to the fact.

5 comments

rcfox3y ago

I've had admin-restricted Windows workstations in the past, but my Linux machines have never been locked down for me.

When I started my last job, I did find that they had installed their own root CA and an admin account they could ssh into, but they never said anything when I disabled them.

khedoros13y ago

One company installed a root CA and issued the device with admin locked down...but IT would give a developer permissions just for being a developer, so that was the first thing we had new hires do. If you ran another OS, you had to install their root certs, or the internet was basically unusable.

Another company validated that a few things were installed and running (virus scanner, new enough update level, maybe a couple other things?) to connect to VPN, but otherwise didn't restrict control over their machines.

MexicanJoe3y ago

We use unrestricted Mac's at my company, heck many use their own laptop. But we have very restrict access rules for sensitive information. The majority does not have access to company or user sensitive information. We are trying to strike a good balance between security and just letting people do their job.

eastbound3y ago

How do you ensure that laptops that access user-sensitive information don’t have a virus?

Is it a solution to require to use a VM with no sudo, so PII is accessed from a machine with no sudo and proper audit trail?

dyhhfdhfgr3y ago

no. unless they hire preschoolers.

j / k navigate · click thread line to collapse