[NTLUG:Discuss] DistroWatch 10 Most Popular Linux Distros
Kenneth Loafman
kenneth at loafman.com
Fri Apr 3 15:49:23 CDT 2009
Chris Cox wrote:
> On Fri, 2009-04-03 at 14:30 -0500, Kenneth Loafman wrote:
> ...
>> If you don't give them any rights, they'll just sign on as root and stay
>> there and we know that's bad. So, where's a good middle ground?
>
> I don't know if there is a middle ground. You don't want
> anonymous logins... root is usually an account that becomes
> anonymous (that is, more than one person might use it).
I agree. I think the sudo route is the middle ground. No one knows the
root password, therefore no one can abuse root, assuming logging is made
of all sudo activity.
> Thus you want people to come in as their private (non-shared)
> user id and then become root (sudo) in some kind of controlled
> fashion.. or better, just run the programs they need as root (again,
> use sudo for example).
I agree.
> The latter is important, in Ubuntu it's pretty easy to
> just do "sudo bash" and well... that pretty much messes
> things up, now doesn't it?
At some point, the admin, or the first user, has to be able to get into
a root shell. You can only type sudo so many times before your hands
cramp up. Convenience will win over security if you make it onerous.
> So my "middle" ground (which is NOT in the middle) would be
> to restrict logins/shell access to individual private users
> only and the restrict the exection of specific programs
> to specific people for root auth (be careful NOT to give them
> access to a program from which they can shell-out for
> example).
This can be done with the /etc/sudoers file, but takes a bit of work.
Scratchbox and a others have a rather detailed sudoers file that does
not let the user do much. I've already found its too restrictive, but
its a start.
...Ken
More information about the Discuss
mailing list