Re: sudo not suitable for multi-machine systems
[ Please don't Cc: me when replying to this message on a mailing list ]
Christoph Lameter <clameter@waterf.org> writes:
> I dont have one machine. I have a whole set here and the problem to
> administer them. I cannot worry about configuring each machine
> separately to simply have our system administrators perform network
> diagnostics. Each machine has different issues cannot use the same
> configfile on each machine.
Sorry for the late response, but having just implemented a
multi-machine (about a hundred), multi-platform (Solaris and Linux)
root-access solution using sudo, I can safely say that this complaint
is bunk.
sudo's configuration file is very easy to use and allows you to base
root access on the user, group, machine, network, and/or command that
sudo is run from. It also allows you to set the user that the command
or command set is run as. This means commands can be setuid different
uids for different users. You can't do that with the setuid bit --
usually, you have to give away the whole store.
> The best would be if the stuff can be installed and then all in a
> certain group (accessible via NIS) have access to those priviledged
> commands. With the amount of new installation and upgrades going on
> here I cannot see another solution.
>
> And: Having group access restricted executables is the very thing
> the security scheme in UNIX was designed for.
sudo is implemented under the same Unix security scheme. It is also
used on many different platforms and far more people are familiar with
it than a home-grown Debian-specific "solution".
Dan
--
Daniel Quinlan (quinlan@pathname.com) At work (quinlan@transmeta.com)
http://www.pathname.com/~quinlan/ Please don't Cc: me when replying
PGP key available - http or finger to this message on a mailing list.
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: