How to give administrative previledges
Felipe Alfaro Solana
lkml at mac.com
Thu Apr 7 17:09:52 UTC 2005
On 7 Apr 2005, at 05:05, Les Mikesell wrote:
> On Wed, 2005-04-06 at 19:24, Chethiya K Ranaweera wrote:
>
>>
>>> Realistically, someone who had to ask that question in the first
>>> place
>>> is not going to be able to configure sudo to the extent needed to
>>> allow a useful set of operations but prevent unauthorized operations.
>>> That's probably not even possible - for example you might want an
>>> operator to be able to change all passwords except for root.
>>> So, you might as well admit that you have to trust the person doing
>>> the administration. If you don't, I'd consider webmin as a better
>>> starting place than sudo.
>>>
>
>> So if this is the case, I would like to pose a question from my
>> original assumption. What is the purpose of having a GID for root?
>
> Root's GID works like any other, only UID=0 is special.
>
>> From the above discussion, what I understand is that, even if you
>> modify /etc/sudoers (say, give a user admin access by adding (ALL) ALL
>> ), the system is not going to give *ALL* admin access to that user.
>
> Yes it does: the user can then do:
> sudo su -
> and become root with only his own password.
>
>> So
>> in that case, I truely do not understand of having a UID for root.
>
> Setting uid=0 is the only special case. You can do that for other
> login names but it doesn't make much sense because all logins with
> uid=0 have equivalent permissions.
And some audit programs, like chkrootkit or cis benchmark, will
complain if they ever found two different system accounts with an UID =
0. I don't think it's a good idea to ever set an account to UID = 0,
except root of course.
I think sudo, has it has been explained, is a nice solution that
provides a great deal of flexibility, accountability and granularity.
More information about the fedora-list
mailing list