Re: [RFC] disabled root account / distinct group for users with administrative privileges

To: debian-devel@lists.debian.org
Subject: Re: [RFC] disabled root account / distinct group for users with administrative privileges
From: Russ Allbery <rra@debian.org>
Date: Wed, 20 Oct 2010 15:14:46 -0700
Message-id: <[🔎] 87eibkfr55.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20101020051257.GL3375@mykerinos.kheops.frmug.org> (Christian PERRIER's message of "Wed, 20 Oct 2010 07:12:57 +0200")
References: <[🔎] 4CBCCC71.5010507@debian.org> <[🔎] 1287468956.18904.8.camel@tomoyo> <[🔎] 201010190948.58805.jesus.navarro@undominio.net> <[🔎] 20101020021142.GA11047@virgil.dodds.net> <[🔎] 20101020051257.GL3375@mykerinos.kheops.frmug.org>

Christian PERRIER <bubulle@debian.org> writes:
> Quoting Steve Langasek (vorlon@debian.org):

>>> On the other hand, is it really necessary a new group?  Can't adm or
>>> operator be overloaded with this new functionality? (think Ockham's
>>> razor).

>> No.  Both of those groups also have other meanings.

> How about the "root" group?

Any already-existing group is going to have the problem that some sites
will already be using it for something else.  We put all sysadmins in
group 0 (which happens to be root on Debian), a policy that for us dates
back to when we were a Solaris shop, and then set su and ksu so that
they're only executable by users in the root group.  This limits access to
su/ksu, but not in the same way that is being discussed here for sudo.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: [RFC] disabled root account / distinct group for users with administrative privileges
  - From: Christian PERRIER <bubulle@debian.org>

References:
- [RFC] disabled root account / distinct group for users with administrative privileges
  - From: Michael Biebl <biebl@debian.org>
- Re: [RFC] disabled root account / distinct group for users with administrative privileges
  - From: Josselin Mouette <joss@debian.org>
- Re: [RFC] disabled root account / distinct group for users with administrative privileges
  - From: "Jesús M. Navarro" <jesus.navarro@undominio.net>
- Re: [RFC] disabled root account / distinct group for users with administrative privileges
  - From: Steve Langasek <vorlon@debian.org>
- Re: [RFC] disabled root account / distinct group for users with administrative privileges
  - From: Christian PERRIER <bubulle@debian.org>

Prev by Date: Bug#600879: RFH: apt-listbugs -- tool which lists critical bugs before each apt installation
Next by Date: Re: Bit from the Release Team: Status of hppa
Previous by thread: Re: [RFC] disabled root account / distinct group for users with administrative privileges
Next by thread: Re: [RFC] disabled root account / distinct group for users with administrative privileges
Index(es):
- Date
- Thread