sudo and /etc/sudoers
Smoot Carl-Mitchell
smoot at tic.com
Mon Dec 29 18:29:55 UTC 2008
On Mon, 2008-12-29 at 05:55 -0700, Karl F. Larsen wrote:
> Yes and it is seldom used. With a lot of thought, if I was running a
> Unix computer with many users I would disable sudo, get me a root
> password, and handle the users with which groups they belong to. Limit
> the amount of space each can use, and things like that.
sudo was designed to be scalable to control root permissions on many
systems with the same configuration file and allow multiple system
administrators to gain root privileges without having to remember a root
password. If you have several administrators, changing the root
password can be painful and error prone. That is one of the reason for
the very general syntax.
sudo also lets you store the sudo policies in an LDAP directory, so you
do not have the maintenance chore of maintaining individual sudoers
files on each system. With judicious use of groups, you can limit root
access to specific users on specific systems. This is very handy when
you a wider set of users to do "rootly" things on development systems,
but not on production systems. sudo also gives you some auditing
capabilities which is important in an environment with several admins.
While a malicious user can subvert the logs, the logging is handy for
doing analysis of administrative errors.
On a single user desktop or a server managed by a single sysadmin, the
full capabilities of sudo are rarely used, but the Ubuntu default (e.g.
users in the admin group get root access), is simple and
straightforward.
--
Smoot Carl-Mitchell
System/Network Architect
smoot at tic.com
+1 480 922 7313
cell: +1 602 421 9005
More information about the ubuntu-users
mailing list