[GLLUG] root access

[Melson, Paul]

I totally understand that need.  My personal preference is still to rely
on `su` though.  You can run your own dotfiles for a root shell by using
`su -s $SHELL` on most *IX OS's.  That leaves you free to do things like
disable root logins through /etc/securetty, and other paranoid stuff
that limits security risks on a system.  I am a staunch believer that
the UNIX user/group paradigm is dated and needs to be replaced.  It
doesn't scale well at all, and it is sort of an "all-or-nothing"
approach to system privileges.  

While I'm ranting on this subject, Thomas Ptacek's got an interesting
project for FreeBSD described on his homepage.  I especially like the
piece on eliminating the need for a root user.
http://www.sockpuppet.org/tqbf/harden.html

PaulM

-----Original Message-----
From: Edward Glowacki [mailto:glowack2@msu.edu]
Sent: Thursday, April 11, 2002 9:49 AM
To: linux-user@egr.msu.edu
Subject: RE: [GLLUG] root access

We actually use this widely around MSU, since most of the servers are
managed by a group, not just one person.  Basically, if you're logging
into the servers, it's to do root-type stuff, and you need to be root to
do it.  We give each root account its own home directory so everyone can
have their own dotfiles.  At least on FreeBSD, Solaris, and AIX, wtmp
records the actual username of the person logging in, and doesn't
blindly just say "root" for all UID 0 accounts.  

If each user only needs to do a subset of root commands, sudo is
definitely the best choice, but if each user truly does need full root
access (as in my example above), sudo might lose most of its value.

-- 
Edward Glowacki				glowack2@msu.edu
GLLUG Peon  				http://www.gllug.org
Imagination is the one weapon in the war against reality.
                -- Jules de Gaultier

_______________________________________________
linux-user mailing list
linux-user@egr.msu.edu
http://www.egr.msu.edu/mailman/listinfo/linux-user