[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_wheel



On Thu, Mar 28, 2002 at 04:35:21PM -0800, Petro wrote:
> On Thu, Mar 28, 2002 at 11:01:23AM -0800, James Bagley Jr wrote:
> > Hey all,
> > 
> > I have users that need root access to their workstations.  Reading the pam
> > documentation for the pam_wheel module it sounds like I can allow them to
> > 'su -' without entering a password.  This is ideal because I don't want to
> > give them that root password, i'd rather keep that to myself.  Problem is,
> > it doesn't work.  I'm using red hat 7.2.  Here is the contents of
> > /etc/pam.d/su:
> 
>     Sudo is a much better tool for this. 
> 
>     However, if they have root access (which su - is), they can simply
>     change the root password.

not to mention if they really want to find out what the root password
is they can simply trojan su, login or anything else to log everything.

>     Sudo, properly configured can help to solve that problem.

true, but its quite difficult, especially if you need to grant
somewhat liberal root access.

it sounds to me like managment has demanded the ability to get a root
shell with no fuss, under these circumstances all is lost anyway and
you may as well give them the root password, or just throw in the
towel and run chmod -R 6777 / to give them what they really want
(Windows emulation).

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgp00001.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []