Every tech company I've ever worked at, normal devs have had administrator access on their own Mac or Linux workstations, its only usually the sales/product folks who have locked down Windows machines.
And most SRE folks have sudo access on production VMs too
fwiw i think the article is talking about root on their lap/desktop machines, not production.
and regarding production, pure root access was revoked for everyone YEARS ago and replaced w/user and admin role accounts. admin was severely restricted, and could do most (but not all) things that root could do. this was for a server only, not accessing anything in borg/omega.
also, if a rando package was installed on a prod server there are safeguards in place that would detect a change and wipe it immediately. in my time that was called the 'assimilator'.
i'm sure that a very, very select few have actual root/sudo.
(disclaimer: i worked there 03-11, the role accounts were rolled out in 08 or 09 IIRC. things could be different now, and if so probably even more restrictive)
It wasn't quite immediately, it would take a few hours to detect+revert. And that was only the root fs, there were other places to hide things if you really wanted. But then there were other detection systems too. (Probably fairly different now, I left in '11 too)
In most orgs, you'll see Windows and the sysadmins and devs will have LOCAL\administrator, but not LOCAL\SYSTEM. That's usually because developing software(debuggers) or using sysadmin tools is a admin-only thing.
As for me, I do prefer Linux on the desktop proper, with appropriate sudo access for root access. But again, I also do want SELinux on as enforcing, and fapolicyd enabled with good setup. If it's a laptop, I definitely want clevis and tang for enforcing attested and encrypted drives. If my shit is stolen, I dont want to be the vector where everything is stolen.
I've only been at one such place. At Google the desktops mostly run Linux, and you pretty much only get another option if you're actually working on stuff that needs it.
That’s definitely selection bias. For big companies, in my experience, if you need a Unix-like development environment you’re going to be on a Mac. Small companies and startups are different of course.
Even in every non-technical company I have known, except one, has allowed its devs root access on their own machines. I have never needed someone else's password to install software or run Sudo on a work machine.
In the real world, endpoint security is very much a thing, and that means workstations so locked down, you can't even change the screensaver, let alone install unauthorized software.
If you work in health, for all intents and purposes you must be HITRUST compliant, and that basically mandates all sorts of lockdowns and network restrictions. ANYTHING that touches PHI must be airgapped.
> In the real world, endpoint security is very much a thing, and that means workstations so locked down, you can't even change the screensaver, let alone install unauthorized software.
I've been in the software industry since 1989 and I've never worked at a single company that didn't let developers have root/admin on their own PCs. "The real world" is quite a varied place.
It's really not that rare. For sure there are companies (big and small) which have a quite paranoid lockdown environment, but there are just as many which understand that local admin access is quite important for developer productivity and if you have the appropriate network architecture it's no less secure.
> You could also just do all of your development with fake PHI, but I've learned not to tell health people what to do.
Yeah, software companies like Google also lock user private data like crazy. But you can have root access (or at least you could when I worked there), cause for 99% of development, you couldn't touch actual user data anyway.
It really makes the most sense to grant employees the least amount of access possible for them to do their jobs. Anything else is courting unnecessary risk.
Did they _ever_ had root access in the last, I don't know, ten years?