On Tue, Aug 07, 2018 at 08:07:56AM -0400, The Wanderer wrote: > On 2018-08-07 at 07:47, Martin wrote: > > The point is not, that ONE person needs a root password. All people > > intended to do privileged things will have to share this password. > > This is a security nightmare! > > If they're all trusted enough to be trusted with that password in the > first place, this isn't a problem, any more than the one person having > it is. > > If they aren't trusted enough to have that password, why are we > permitting them to do anything root-level in the first place?
It's not just a question of trust, but also one of maintenance. What happens when one of the people with root access gets a new job? Using su and a shared root password: - Disable the person's account. - Change the root password. - Find a secure way to distribute the new password to all the people it's shared by. Using sudo: - Disable the person's account. - Remove the account from /etc/sudoers and/or the sudo group. Everyone else with root access is completely unaffected by the departure. -- Dave Sherohman
