On Mon, 2007-04-16 at 11:34 -0400, Tony Heal wrote:
> I am working on a project to allow a normal system user access to a
> very limited subset of programs and scripts. The idea is to allow the
> user to perform certain maintenance and troubleshooting without
> actually being able to change anything, such as config file, logs etc.
> I am convinced that sudo is the way to go, but I need more info (ammo)
> to convince my boss that simply changing the permissions of the subset
> of files is a bad idea.
Would it help you out to tell him that various operating systems use
only sudo to do this?
Like:
Apple's OSX, Ubuntu Linux
And that many many many company resources depend on sudo to do
everything.
here is a good article to read about how sudo keep people honest as
things are logged. There are other things you can do to make them even
MORE logged. (rootsh being the only command allowed to run with sudo,
which logs ALL commands)
http://www.onlamp.com/pub/a/bsd/2002/08/29/Big_Scary_Daemons.html?page=1
You can also tell him the codebase is actively maintained, but hasn't
needed any updates since November 8th, 2005. It is well reviewed and
very robust, giving it a lot of good things to offer. Its configuration
is widely known and is widely used. It supports groups, metagroups,
virtually any programs, has differing levels of access and restrictions.
There really is only one reason to not use it: Don't care about things
getting broke and not caring to figure out the culprit or problem, and
who might have done it.
As we all know, many fingers in the pot, cause many problems and keeping
track of problems and howto prevent them is a good thing.
--
greg, greg@gregfolkert.net
Novell's Directory Services is a competitive product to Microsoft's
Active Directory in much the same way that the Saturn V is a competitive
product to those dinky little model rockets that kids light off down at
the playfield. -- Thane Walkup
Attachment:
signature.asc
Description: This is a digitally signed message part