On Thu, Sep 14, 2000 at 12:31:27PM -0700, kmself@ix.netcom.com wrote: > The advantage in a multiuser environment is that you providing (and > controlling) root access at the user level rather than at the system > level. Eg, Tim, Bob, Alice, and Nate have access to a system. Tim, > Alice, and Nate are admins. Nate is canned for violating company SOP. > > If Tim, Alice, and Nate shared the root password, you need to: > > - Change the root password. > - Tell Tim and Alice > > If root access was provided via sudo: > > - Remove Nate from the /etc/sudoers file. you could also accomplish this by creating mulitple uid=0 accounts with different passwords, at least that way if Tim gets his user password stolen its not an automatic root compromise. also if Nate was really evil/disgrunteled he may have installed a rootkit or backdoor before he was canned. in which case sudo or not your screwed anyway ;-) > In no case do you have to worry about poor old Bob, who's just a dumb > luser. Maybe you want to give him limited access to the print queue -- > see the sudo docs for info on how to do this. > > Use of sudo also allows denying *all* remote root access. Hit the > system as a normal user first, then go root. so does PermitRootLogin no and pam_wheel. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpvdd_kHNrRn.pgp
Description: PGP signature