on Thu, Nov 02, 2000 at 12:16:26AM -0800, Krzys Majewski ([EMAIL PROTECTED]) wrote: > kmself@ix.netcom.com writes: > > > I use a fairly liberal sudoers setting for my personal account. Yes, > > this means that I'm usually only a few keystrokes away from being > > root -- but that's what I'm after. And a password is still required. > > If you need a password, then why not just su? > -chris
$ man sudo
sudo provides granularity of control over what commands may be run by a
user. It also logs execution of commands. It also logs, and emails
administrator, failed sudo attempts.
There's a good discussion of sudo -- an entire chapter -- in _Linux
System Security_ by ScottMann and Ellen L. Mitchell, Prentice Hall, © 2000
ISBN 0-13-015807-0.
Whenever system maintenance requires more than one administrator on
a system, either the root password is disclosed to those who are
involved or each administrator will have their own root account....
In many other cases, however, there is a need to improve the audit
trail for root. That way, when things go awry (whether due to a
security compromise or not), the details are available and remedies
may be determined. In yet other situations, the need for granting
limited privileges to certain users is essential....There is a
utility that can provide this functionality -- it is called sudo.
p 173, _Linux System Security_
Examples of practical use. For trade-show systems, certain system
commands need to be run to configure software or change settings. These
should not be available to show attendees. Providing access through
sudo helps ensure the systems aren't tampered with.
A QA department shares systems with various configurations of software.
Limited access to services (MySQL server, Apache), is required. Shared
root is one option, sudo is far better for limiting chances for
intentional, or much more likely, accidental, system damage.
--
Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself
Evangelist, Zelerate, Inc. http://www.zelerate.org
What part of "Gestalt" don't you understand? There is no K5 cabal
http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org
pgpTJ6OuMHp7S.pgp
Description: PGP signature
