[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Excessive root usage in Debian

Quoth John Goerzen on 11 Oct, 1999:

> Along the same lines, we ought to have special accounts for
> subsystems.  We already have some of this.  There's www-data, daemon,
> mail, dialin, lp, news, uucp, etc.  I am *NOT* suggesting special
> accounts for each program or daemon, merely ones for systems.  How
> about an X account so that managing these files can be delegated to
> someone?
> I have 27 /usr/sbin/*config files.  Not a one runs as anything other
> than root.  Few really need to runas root.

My I humbly suggest a group named 'maintenance' or 'config' or somesuch, in
addition to subsystem group names?  Each subsystem-user would of course have
ownership over its related control files, but they would be in the 'config'
group.  The admin may then add whomever he wants to be able to alter system
configurations and such to the 'config' group.

I find it amusing that we discuss such things after the Linux Myths document.
We have a very elegant system for giving privileges to people.  Let's use it
-- putting all the system-maintenance routines under the ownership of a group
would be a good start, imho.

Of course, it's early in the morning.  I could be missing something obvious.

Robert C. Jones | rjones-at-devzero-dot-org | http://www.devzero.org
  Linux junkie  |   professional sysadmin   |     raving lunatic
        Please use PGP: http://www.devzero.org/public.asc

Reply to: