On Sun, 2007-01-21 at 22:03 -0500, Jim Hyslop wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> OK, this latest discussion about logging in as root got me thinking. I'm
> fairly new to Linux. Occasionally, when I need to set up something (as
> an example, my recent DNS questions) I will need to edit a config file,
> and restart the daemon. I usually start by logging in as myself, then
> issue individual 'su [command]' commands. After a while, I get tired of
> typing in the root password over and over, so I just issue a simple 'su'
> and work as root from there.
>
> Should I be taking a different approach?
My practices are for accountability. I like to believe they are best
practices.
* Never connect to remote machine as root... there are exceptions,
but they are few and far between.
* Login to a machine as a regular non-privileged user.
* If the need arises use a method to allow "limited privileges" in
a granular way. I use "sudo" it allows one to give "user
creation" without giving the keys to the machine to the person
or helpdesk person.
* If you need a graphical method, I use "sux" or in combo "sudo
sux -" and then run the program... then exit.
* If you really need to *BE* root, "sudo su -" or "sudo sux -" for
only as long as you need.
It is really all about accountability or being able to track who did
what when. To track problems caused by administration errors, or to
track when someone uses things they shouldn't. IOW, about limiting users
doing harmful things.
If you need more... ask specific questions.
--
greg, greg@gregfolkert.net
The technology that is
Stronger, better, faster: Linux
Attachment:
signature.asc
Description: This is a digitally signed message part