SUDO

[Broekman, Maarten]

>  -----Original Message-----
>  From: redhat-list-bounces at redhat.com 
>  [mailto:redhat-list-bounces at redhat.com] On Behalf Of mark
>  Sent: Monday, June 22, 2009 2:28 PM
>  To: General Red Hat Linux discussion list
>  Subject: Re: SUDO
>  
>  Hike wrote:
>  > Why?
>  > 
>  > If the user knows the root password, there is no need.
>  
>  Ok, let me explain further. We're not talking home systems, 
>  we're talking
>  corporate. And no, *not* everyone knows the root password. 
>  In fact, using sudo
>  su - means they do not have to know it.

Even in a corporate setting there is no need to set up "sudo su -" or
"sudo su - root".  You set up sudo to allow "sudo bash" to be run as the
appropriate user (root or otherwise).

>  > If sudo is cofigured correctly, there is no need to "su - 
>  root" since
>  > the user can already run the needed commands.
>  
>  That depends. Some users - presumably admins - can be 
>  configured to allowed to
>  run only certain commands. Others may need less limited use, 
>  and it can be a
>  lot easier if they can get to root; for example, when I'm 
>  going to look at
>  logs, and only root can read them, or even look in some 
>  directories under
>  /var/log, it's a *real* pain to sudo view every single log.

Yes.  If you only need read access, you configure selinux to allow it or
you configure sudo to allow you to "more /var/log/*" (or less if that's
your preference).  If you actually need shell access, you allow "sudo
<shell>".

--Maarten