Re: /usr/bin before /usr/local/bin?

To: "Debian user list \(undigested\)" <debian-user@lists.debian.org>
Subject: Re: /usr/bin before /usr/local/bin?
From: kmself@ix.netcom.com
Date: Thu, 2 Nov 2000 12:08:58 -0800
Message-id: <[🔎] 20001102120858.G16139@ix.netcom.com>
In-reply-to: <[🔎] 87y9z2aiw5.fsf@cs.ubc.ca>; from majewski@cs.ubc.ca on Thu, Nov 02, 2000 at 12:16:26AM -0800
References: <Pine.LNX.4.21.0010311604090.821-100000@intellx1.physics.uiuc.edu> <Pine.LNX.4.21.0010311410270.32604-100000@localhost> <20001031200546.C29665@ix.netcom.com> <[🔎] 87y9z2aiw5.fsf@cs.ubc.ca>

on Thu, Nov 02, 2000 at 12:16:26AM -0800, Krzys Majewski (majewski@cs.ubc.ca) wrote:
> kmself@ix.netcom.com writes:
> 
> > I use a fairly liberal sudoers setting for my personal account.  Yes,
> > this means that I'm usually only a few keystrokes away from being 
> > root -- but that's what I'm after.  And a password is still required.
> 
> If you need a password, then why not just su? 
> -chris

    $ man sudo

sudo provides granularity of control over what commands may be run by a
user.  It also logs execution of commands.  It also logs, and emails
administrator, failed sudo attempts.

There's a good discussion of sudo -- an entire chapter -- in _Linux
System Security_ by ScottMann and Ellen L. Mitchell, Prentice Hall, © 2000
ISBN 0-13-015807-0.

    Whenever system maintenance requires more than one administrator on
    a system, either the root password is disclosed to those who are
    involved or each administrator will have their own root account....
    In many other cases, however, there is a need to improve the audit
    trail for root.  That way, when things go awry (whether due to a
    security compromise or not), the details are available and remedies
    may be determined.  In yet other situations, the need for granting
    limited privileges to certain users is essential....There is a
    utility that can provide this functionality -- it is called sudo.

    p 173, _Linux System Security_

Examples of practical use.  For trade-show systems, certain system
commands need to be run to configure software or change settings.  These
should not be available to show attendees.  Providing access through
sudo helps ensure the systems aren't tampered with.

A QA department shares systems with various configurations of software.
Limited access to services (MySQL server, Apache), is required.  Shared
root is one option, sudo is far better for limiting chances for
intentional, or much more likely, accidental, system damage.

-- 
Karsten M. Self <kmself@ix.netcom.com>     http://www.netcom.com/~kmself
 Evangelist, Zelerate, Inc.                      http://www.zelerate.org
  What part of "Gestalt" don't you understand?      There is no K5 cabal
   http://gestalt-system.sourceforge.net/        http://www.kuro5hin.org

Attachment: pgpsbPxqOtUjf.pgp
Description: PGP signature

Reply to:

References:
- Re: /usr/bin before /usr/local/bin?
  - From: Krzys Majewski <majewski@cs.ubc.ca>

Prev by Date: KDE2 for potato availability
Next by Date: Re: question about dselect
Previous by thread: Re: /usr/bin before /usr/local/bin?
Next by thread: potato -> woody ==> php error
Index(es):
- Date
- Thread