sudo and /etc/sudoers
mhaney at ercbroadband.org
Tue Dec 30 13:20:14 UTC 2008
Derek Broughton wrote:
> Res wrote:
>> On Mon, 29 Dec 2008, Matthew Flaschen wrote:
>>> Karl F. Larsen wrote:
>>>> Yes and it is seldom used.
>>> How on earth do you know?
>>> With a lot of thought, if I was running a
>>>> Unix computer with many users I would disable sudo, get me a root
>>>> password, and handle the users with which groups they belong to.
>>> Except magical groups alone will not let users have limited access to
>>> root programs, which is of course the whole point.
>> users should never be able to run root programs. this might be fine for
>> your lil home 1337 b0x3n, but not fine in the real world.
> LOL. What a ridiculous attitude from somebody who claims to be an expert.
> _Somebody_ has to run root programs, and ime it is both possible and
> advisable to have it not be somebody who is logged in as root. On one of my
> large server systems, I am one of the two prime administrators - neither one
> of us actually has the root password, which _does_ exist but only the
> daytime computer room operator has. Works fine.
I agree totally, for someone who says they could write a book on system
administration, this is a pretty short sighted attitude to take. When
needing root access you have two options. Hand out the root password,
OR use sudo to lock down that access to a minimum. As with anything,
logging in and running everything as root is not only foolhardy, but
unnecessary. Granted there are only a handful of apps that require root
access (traceroute and tcpdump are two I use constantly) but those ARE
useful in the 'real world' and regular users having access to those
tools is helpful if not entirely mandatory.
Sudo is not only important, it's vital for secure consistent and
granular control of root permissions for users. Without it, you can't
manage controls OR figure out who did what if an audit trail is needed.
Frustra laborant quotquot se calculationibus fatigant pro inventione
Sr. Systems Administrator
Call (866) ERC-7110 for after hours support
More information about the ubuntu-users