Who gets root access?

I'm working on a web application which handles some sensitive data. We're getting pretty tight on security, and laying out policies to lock down access to machines, and log everything for technical audit purposes.

The question we keep coming back to is this: Who gets root?

Our server instances will have a root user. That root user will have a password. Who should have access to this? Is it possible/desirable to have a machine where noone can have root access?

I'd appreciate any thoughts you have on the subject.


Solution 1:

No one. Make them use sudo so all root-level commands are logged and attributable to a specific person.

Solution 2:

No-one except maybe a hardware administrator gets root password! The root password should only be usable on the console, not via SSH or other services.

Use groups to define access to different sets of programs with escalated privaledges using sudo. For example the wheel group is typically for people that get root privs, but everything gets logged as their user. If people don't need full root privs but only a few commands as some other user, make another group.