For root work behind a firewall, we use 'priv'. It gives someone
root access for one command (an alternative to 'sudo' I believe).
It originally appeared in Unix World back in 1988. If anyone
wants it, I just uploaded the current copy to
(you may also want priv.fig and priv.txt for an explanation).
The nice thing about this is that it keeps a log file of all the
commands you run, so when you have a big mix between SA and
engineers who want/need root access and you want to find the
last user who changed /etc/rc (grep 'vi /etc/rc' /etc/priv.log).
Of course, I wouldn't use this on a firewall. And I would
discourage using it on machines with high security requirements.
But it's great for a single-user system or low-security hub.