> The fact that you need to provide normal users with these kind of > privileges indicates a possible flaw in your overall scheme. You may > find that, after careful reconsideration, there are precious few > commands that you would actually have to allow the users to run with > superuser privileges.
Similar issues have been bugging me for a while, so let me chime in. I'm using OpenBSD on a laptop, and I find there are actually quite a few commands that require superuser privileges from an ordinary laptop user, namely /sbin/dhclient /sbin/halt /sbin/ifconfig /sbin/mount /sbin/umount /usr/local/bin/cdrecord /usr/local/bin/dvd+rw-mediainfo /usr/local/bin/gphoto2 /usr/local/bin/growisofs /usr/sbin/vnconfig Note that all of these commands are associated with access to the hardware, such as establishing an internet connection, shutting the computer down, mounting a USB flash drive, burning a CD/DVD, interacting with a digital camera, mounting an iso image, and so on. Some of the man pages (namely growisofs) warn against running these commands with sudo. What's a laptop user to do? Personally, I wish that the operator group would give a user full access to these ordinary hardware resources. But currently, the operator group is only given read access (but not write access) to a few devices, and access to the shutdown command (which produces a very annoying beep that is unsuitable for use in a boardroom or lecture hall). Does anyone currently use the operator group for anything, or is it just a historical vestige? Would there be anything wrong with giving the operator enough hardware access to run the commands above?
