[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to give administrative previledges



On 7 Apr 2005, at 05:05, Les Mikesell wrote:

On Wed, 2005-04-06 at 19:24, Chethiya K Ranaweera wrote:


Realistically, someone who had to ask that question in the first place
is not going to be able to configure sudo to the extent needed to
allow a useful set of operations but prevent unauthorized operations.
That's probably not even possible - for example you might want an
operator to be able to change all passwords except for root.
So, you might as well admit that you have to trust the person doing
the administration. If you don't, I'd consider webmin as a better
starting place than sudo.



So if this is the case, I would like to pose a question from my
original assumption. What is the purpose of having a GID for root?

Root's GID works like any other, only UID=0 is special.


From the above discussion, what I understand is that, even if you
modify /etc/sudoers (say, give a user admin access by adding (ALL) ALL
), the system is not going to give *ALL* admin access to that user.

Yes it does: the user can then do: sudo su - and become root with only his own password.

So
in that case, I truely do not understand of having a UID for root.

Setting uid=0 is the only special case. You can do that for other login names but it doesn't make much sense because all logins with uid=0 have equivalent permissions.

And some audit programs, like chkrootkit or cis benchmark, will complain if they ever found two different system accounts with an UID = 0. I don't think it's a good idea to ever set an account to UID = 0, except root of course.


I think sudo, has it has been explained, is a nice solution that provides a great deal of flexibility, accountability and granularity.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]