Re: [RFC] disabled root account / distinct group for users with administrative privileges
Christian PERRIER <firstname.lastname@example.org> writes:
> Quoting Steve Langasek (email@example.com):
>>> On the other hand, is it really necessary a new group? Can't adm or
>>> operator be overloaded with this new functionality? (think Ockham's
>> No. Both of those groups also have other meanings.
> How about the "root" group?
Any already-existing group is going to have the problem that some sites
will already be using it for something else. We put all sysadmins in
group 0 (which happens to be root on Debian), a policy that for us dates
back to when we were a Solaris shop, and then set su and ksu so that
they're only executable by users in the root group. This limits access to
su/ksu, but not in the same way that is being discussed here for sudo.
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>