Re: [RFC] disabled root account / distinct group for users with administrative privileges
Christian PERRIER <bubulle@debian.org> writes:
> Quoting Steve Langasek (vorlon@debian.org):
>>> On the other hand, is it really necessary a new group? Can't adm or
>>> operator be overloaded with this new functionality? (think Ockham's
>>> razor).
>> No. Both of those groups also have other meanings.
> How about the "root" group?
Any already-existing group is going to have the problem that some sites
will already be using it for something else. We put all sysadmins in
group 0 (which happens to be root on Debian), a policy that for us dates
back to when we were a Solaris shop, and then set su and ksu so that
they're only executable by users in the root group. This limits access to
su/ksu, but not in the same way that is being discussed here for sudo.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: