[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] disabled root account / distinct group for users with administrative privileges

Christian PERRIER <bubulle@debian.org> writes:
> Quoting Steve Langasek (vorlon@debian.org):

>>> On the other hand, is it really necessary a new group?  Can't adm or
>>> operator be overloaded with this new functionality? (think Ockham's
>>> razor).

>> No.  Both of those groups also have other meanings.

> How about the "root" group?

Any already-existing group is going to have the problem that some sites
will already be using it for something else.  We put all sysadmins in
group 0 (which happens to be root on Debian), a policy that for us dates
back to when we were a Solaris shop, and then set su and ksu so that
they're only executable by users in the root group.  This limits access to
su/ksu, but not in the same way that is being discussed here for sudo.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: