sudo and /etc/sudoers
jdow at earthlink.net
Tue Dec 30 02:41:04 UTC 2008
From: "Derek Broughton" <derek at pointerstop.ca>
Sent: Monday, 2008, December 29 15:27
> jdow wrote:
>> From: "Derek Broughton" <derek at pointerstop.ca>
>>> _Somebody_ has to run root programs, and ime it is both possible and
>>> advisable to have it not be somebody who is logged in as root. On one
>>> large server systems, I am one of the two prime administrators - neither
>>> of us actually has the root password, which _does_ exist but only the
>>> daytime computer room operator has. Works fine.
>> I'd feel safer with that sort of configuration if the sudo program had
>> an option to use a second password list that had a second unique
>> encrypted password for each of the sudoers. Then if your password is
>> cracked the person still can't get at sufficient root level tools to
> It would be pretty pointless, for the same reason that we don't want to be
> handing out the root password to everybody - _some_ (probably most) of
> users would just set the password to be the same as their user password.
> you did anything to prevent that, they'd either set it to the closest
> possible permutation of their user password, or write it down.
Write it down == firing offense.
The sudo password would have to be assigned via a password generator or
password approval tool. (So should the main password, in which case
both should be generated in one session.)
When I was doing stuff that required the most security I found myself
learning about a dozen different lock combinations, some push-button
locks and some really good GSA approved security padlocks - every 6
months. It can be done - unless you young whippersnappers are dumber
than I was at your age. (With that load I never DID memorize my
drivers license number.)
More information about the ubuntu-users