sudo and /etc/sudoers

Mark Haney mhaney at ercbroadband.org
Tue Dec 30 13:20:14 UTC 2008 

Derek Broughton wrote:
> Res wrote:
> 
>> On Mon, 29 Dec 2008, Matthew Flaschen wrote:
>>
>>> Karl F. Larsen wrote:
>>>>     Yes and it is seldom used.
>>> How on earth do you know?
>>>
>>> With a lot of thought, if I was running a
>>>> Unix computer with many users I would disable sudo, get me a root
>>>> password, and handle the users with which groups they belong to.
>>> Except magical groups alone will not let users have limited access to
>>> root programs, which is of course the whole point.
>> users should never be able to run root programs. this might be fine for
>> your lil home 1337 b0x3n, but not fine in the real world.
> 
> LOL.  What a ridiculous attitude from somebody who claims to be an expert.  
> _Somebody_ has to run root programs, and ime it is both possible and 
> advisable to have it not be somebody who is logged in as root.  On one of my 
> large server systems, I am one of the two prime administrators - neither one 
> of us actually has the root password, which _does_ exist but only the 
> daytime computer room operator has.  Works fine.
> 
> 

I agree totally, for someone who says they could write a book on system 
administration, this is a pretty short sighted attitude to take. When 
needing root access you have two options.  Hand out the root password, 
OR use sudo to lock down that access to a minimum.  As with anything, 
logging in and running everything as root is not only foolhardy, but 
unnecessary.  Granted there are only a handful of apps that require root 
access (traceroute and tcpdump are two I use constantly) but those ARE 
useful in the 'real world' and regular users having access to those 
tools is helpful if not entirely mandatory.

Sudo is not only important, it's vital for secure consistent and 
granular control of root permissions for users.  Without it, you can't 
manage controls OR figure out who did what if an audit trail is needed.



-- 
Frustra laborant quotquot se calculationibus fatigant pro inventione 
quadraturae circuli

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

More information about the ubuntu-users mailing list