Re: One trick I heard of..
Businesses, particularly those with only one admin person, should have a policy of root passwords being written down and kept in a safe and regularly tested to ensure they still allow access, and that password changes are recorded and done for good reason[1].
The one I've seen for small companies is for the critical passwords to be written down, sealed in an envelope with a couple of signatures (sysadmin and manager) across the seal. If any sort of access is needed in the absence of the sysadmin then it can be done, but then the passwords need to be changed and a new envelope created. It's more a way of ensuring access if the sysadmin wants to check out the underside of a bus, or similar, but doesn't protect against a malicious sysadmin.
Biting the hand that feeds IT
