Re: sudo logging
Chris Davies schrieb:
> Berthold Cogel <cogel@uni-koeln.de> wrote:
>> [...] we don't want them do be root for some reasons.
>
>> Surely they can break the setup if they want. But they gain nothing if
>> they do.
>
> Your two statements seem to be mutually exclusive...?
>
> Somewhat puzzled,
> Chris
>
>
It's a grown setup with a lot of small web projects running parallel!
Each with it's own user/group. So if you're not root, you run into
limitations if you have to manage this setup. For example the number of
groups of which you can be a member is limited. You can handle a lot of
things with extended ACLs and stuff like this. But not all.
Now imagine that the users who create the webpages for these projects
are very capable when it comes to shoot themselves in the feet. And you
will have to fix all of this. And fast because it's always urgent.
This is what our webmasters do. They need a lot of permissions but we
don't want them to be root. And they don't want to be root either
because of the responsibility. So we give them the means to do their
work with as much 'protection' as possible and a minimum of annoyance.
So if they need to bring an interface up, they can. If they have to
reboot a system because of stuck processes, they can. But we want to see
it in the logs.
It's a grown setup... Now I would choose other methods, but it's not
worth the effort to change things at the moment.
Berthold
Reply to: