On Tue, Dec 19, 2006 at 05:00:14PM -0600, Kent West wrote: > > "man sudoers" is your friend. Well, maybe not your friend, but at least > a usable resource.... > > For myself, I just duplicate the existing root line in /etc/sudoers and > then change one of the roots to my user. Granted, this isn't > particularly secure, but it's easy and adds a significant level of > security to doing things as root. > Many people seem to mistake sudo for some sort of security panacea. It is not. If you use sudo to give someone access to certain very limited and very specific things on your system, that is OK and quite secure. For instance, to let someone use a pbuilder or to be able to take network interfaces up or down. However, the main thing is that unless you are 100 percent sure of what you are doing, don't give sudo access to someone who you would not trust with the root password. The benefits of sudo are: - logging, or seeing who did what - running graphical programs like installers is easier - no need to give out the actual root password Now, the logging thing can be quite easily circumvented by running 'sudo su -' and then later deleting root's command history (assuming that things aren't logged elsewhere by some other mechanism). But, it is convenient and in an environment with lots of admins, if everyone uses sudo, it is easy to see who did what and when. Again, if these people are admins, they should be trustworthy enough that you would give them the root password. This just takes the head scratching out of the "who" question? Of course, it won't answer the "why" question. Like, "why did John run 'rm -rf /usr/local' on webserver1?" Again, if John didn't want you to know it was him, he could make that happen, with or without sudo. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature