On Sun, Jan 21, 2007 at 10:31:39PM -0500, Greg Folkert wrote: > * If the need arises use a method to allow "limited privileges" in > a granular way. I use "sudo" it allows one to give "user > creation" without giving the keys to the machine to the person > or helpdesk person.
I'm sure you're aware of this, Greg, but, for anyone who isn't that familiar with sudo, you need to go over the commands that you give untrusted people (e.g., the helpdesk person mentioned above) access to very carefully to ensure that none of them can be used to spawn a shell or execute arbitrary commands. If they can use sudo to run, say, vi or emacs as root (both of which can be used to run arbitrary commands, including /bin/bash, unless passed specific command-line switches to disable this), then you're "giving the keys to the machine" to them and they can get full root powers as soon as they think to type (in most cases) "!". -- I would rather be exposed to the inconvenience attending too much Liberty than those attending too small degree of it. - Thomas Jefferson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
