edit root alias when installing the OS

Rahul Sundaram sundaram at redhat.com
Thu Jan 5 18:14:46 UTC 2006


>1) Once any non-admin learns the root password, everybody knows the root
>password.  And unless the admin wants to do every trivial admin
>activity, the root password must be given out and thus compromized.
>2) Root logins are security problems because you can't tell which
>human actually logged on in the guise of root.  Whom do you fire,
>even if you figure out what was done?
>3) Sudo(1) allows fine control over which programs a user can run as
>any other user.
>4) With sudo(1), an authenticated user must reauthenticate to run a
>program as another user.  (Trusted users need not reauthenticate.)
>5) Sudo(1) logs the activity so you will have an audit trail.  System
>console, and syslog.
>Using sudo(1) is a big security win. 
In many cases,  yes it can be a big security win but the question here 
is do you want to the default user to have all administrative access 
through his own password?.  That makes sense for the typical home user 
who owns his system anyway but it doesnt seem to be a big advantage for 
any system where system administration is done by other people who want 
to limit access to only non-root routine tasks for regular users. 
Several programs might not work well with sudo like webmin for instance. 
Shell redirection under sudo might not well as expected. ex: sudo ls  
/etc > /root/etc.list. If we decide that Fedora Core will be squarely 
targeted at the desktop then sudo might work well but otherwise I dont 
see it as a generic default solution.

More information about the fedora-devel-list mailing list