theoretical question - can root's username be changed?
craigwhite at azapple.com
Fri Dec 2 20:50:02 UTC 2005
On Fri, 2005-12-02 at 14:14 -0600, Mike McCarty wrote:
> Scot L. Harris wrote:
> > On Fri, 2005-12-02 at 14:17, Mike McCarty wrote:
> >>Tim wrote:
> >>>On Fri, 2005-12-02 at 12:44 +0800, John Summerfied wrote:
> >>>>A really big flaw in Unix design is the fact one user has the inherent
> >>>>ability to do everything, the fact that the Unix security model is
> >>>>built round this.
> >>>A counterpoint to that, in the Windows world, is that you can have too
> >>>many people able to do things that they shouldn't. They might think
> >>>they need to do something special, they might want to do it, they might
> >>>think they know what they're doing, but they're often wrong.
> >>The objection is not that there are not enough users who can
> >>do things, but that there is one super duper user who can
> >>do EVERYTHING AND ANYTHING. There is no finesse. Either
> >>all or none. It might be useful to have someone who can
> >>administer passwords, but not rm /etc/passwd, for example.
> >>There is not enough resolution.
> > You can configure sudoers to limit a user to specific commands that they
> > can run as root when needed without allowing that user to do everything
> > root can.
> One cannot configure sudo such that one can "vi /etc/one_special_file"
> but not "vi /etc/another_special_file".
I am DEFINITELY not an expert on sudoers file but...
# tail -n 5 /etc/sudoers
Cmnd_Alias IPOD=/sbin/modprobe -r sbp2
Cmnd_Alias EJECT=/usr/bin/eject /dev/sda2,/usr/bin/eject /dev/sdb2
# User privilege specification
craig ALL=(ALL) ALL
craig ALL= NOPASSWD : IPOD, EJECT
makes me believe that I could only use modprobe and eject as prescribed
if I didn't have the ALL=(ALL) ALL designation.
More information about the fedora-list