user with root priviledge
Jeff Vian
jvian10 at charter.net
Tue Apr 20 01:04:52 UTC 2004
Björn Persson wrote:
> Jeff Vian wrote:
>
>> Björn Persson wrote:
>>
>>> If more than one person needs root access, and a few selected
>>> commands through sudo isn't enough, then surely it's better to have
>>> multiple root accounts that to share a password.
>>>
>> I disagree!
>>
>> Here is a situation where this does not make sense, and the use of
>> sudo does make sense
>
>
> You don't need to prove to me that sudo is useful. Please read what I
> actally write so you don't disagree with something I've never said. I
> said _if_ there is a situation where _sudo_isn't_enough_, then
> multiple root accounts with separate passwords is better than multiple
> administrators sharing one root password. The little typo I made
> didn't make the sentence that hard to understand did it?
>
>> 3. An additional valid argument against allowing users to routinely
>> log in and function as root is that a single careless keystroke can
>> take the system completely down and cost you (or the company)
>> thousands or even millions in doing recovery and possible lost
>> business or sales.
>
>
> And now it seems like you think I've said that users should do
> everything as root. I haven't. *Of course* you should run commands as
> root only when absolutely necessary.
>
> Björn Persson
>
Sorry, my reply was not aimed at you. It was added to voice my reasons
for being adamantly against having any account other that root with full
root privledges.
This is what the OP wanted to do, and some have indicated this would be
OK. In my opinion it is not.
If your users with root access and sudo access do not communicate enough
to be able to have one ask the admin who does have the root access to
assist in the *very few* cases where sudo would not achieve the goal
then there is a problem.
Also, there _should_ never be a situation where this could occur if the
user is really trusted with full root access. Sudo can be set up in such
a way that the trusted user can be given full access to all commands
that root must run with no restrictions and with the extra layer of
logging enabled. On my machines I use sudo to run everything and
/never/ log in as root at any time other than the first new install and
configuration.
For those who are unaware of the very flexible configurations available
with sudo, look at the man pages for sudo, visudo, and sudoers. It can
be tailored in any way needed to allow many users access to the commands
they need and still restrict access to the commands that only a few
should ever need to just those few. Sudo is a friend to all system admins.
More information about the fedora-list
mailing list