On Thu, Sep 14, 2000 at 03:11:42PM -0800, Ethan Benson (erbenson@alaska.net) wrote: > On Thu, Sep 14, 2000 at 12:31:27PM -0700, kmself@ix.netcom.com wrote: > you could also accomplish this by creating mulitple uid=0 accounts > with different passwords, at least that way if Tim gets his user > password stolen its not an automatic root compromise. But you've got zero control of commands available, and no logging of what commands are being run as root. > also if Nate was really evil/disgrunteled he may have installed a > rootkit or backdoor before he was canned. in which case sudo or not > your screwed anyway ;-) Modulo: if you suspect this up front, you can throttle his access in an instant, *without* disrupting the rest of the team. > > In no case do you have to worry about poor old Bob, who's just a dumb > > luser. Maybe you want to give him limited access to the print queue -- > > see the sudo docs for info on how to do this. > > > > Use of sudo also allows denying *all* remote root access. Hit the > > system as a normal user first, then go root. > > so does PermitRootLogin no and pam_wheel. Without the granularity of control by user and command, and logging. -- Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself Evangelist, Opensales, Inc. http://www.opensales.org What part of "Gestalt" don't you understand? Debian GNU/Linux rocks! http://gestalt-system.sourceforge.net/ K5: http://www.kuro5hin.org GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0
Attachment:
pgpeHDtEVavUh.pgp
Description: PGP signature