From owner-freebsd-questions Tue Aug 7 14: 7:13 2001 Delivered-To: freebsd-questions@freebsd.org Received: from endymion.skorga.org (cr157951-a.lndn1.on.wave.home.com [24.42.151.7]) by hub.freebsd.org (Postfix) with ESMTP id 809A537B62D for ; Tue, 7 Aug 2001 14:06:09 -0700 (PDT) (envelope-from erothwell@callgtn.com) Received: from localhost (bacchusrx@localhost) by endymion.skorga.org (8.11.3/8.11.3) with ESMTP id f77L65K18633; Tue, 7 Aug 2001 17:06:06 -0400 (EDT) (envelope-from erothwell@callgtn.com) X-Authentication-Warning: endymion.skorga.org: bacchusrx owned process doing -bs Date: Tue, 7 Aug 2001 17:06:05 -0400 (EDT) From: Erik Rothwell X-X-Sender: To: Cc: Subject: Re: Sudo Was: Re: Solved: Was:Re: root/superuser account - big problem - please help In-Reply-To: Message-ID: <20010807165515.K18582-100000@endymion> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 7 Aug 2001 chip.wiegand@simrad.com wrote: > First, my apologies for top-posting, I am stuck with Lotus Notes and it > sucks for an email client > (here at work). I don't know if it handles inline replies properly. > I have heard of but not tried sudo. You mention that it allows the user to > do everything the root > can do, but without the password. Is this a good thing? I can't imagine > how. Why not just use the > root account? I wouldn't want to configure any group to do everything root > can do, considering > the other person who needs to be in that group. (He's only there in case I > leave this place, and is > clueless in anything other than NT.) > I just installed sudo since writing that last paragraph, so I'll be trying > it. > Regards, > Chip Sudo allows the system administrator to establish groups of users who can execute some specified commands as root... It does extensive logging and so forth to keep tabs on user activity, etc. You can configure it on a time-limited basis, and you can set different passwords for various levels of sudo access. So, instead of doing: % su Password: # apachectl restart You could create a sudo command that would let someone stop or restart Apache.... it would still require a password, and be restricted by uid, but, it wouldn't be the root password, nor provide full root access... it'd look like: % sudo apachectl restart Password: ... It's useful if others need access to things only root [can|should] do-- but you don't want to hand out root access to them. So, for instance, you've got a group of junior administrators that need to run certain pre-determined commands, sudo is a better option that giving out the root account. (Of course, the above example could've been accomplished without sudo, but, it's just an example.) OTOH, sudo is easily misconfigured-- which can lead to its use by unauthorized persons to gain elevated privileges... if you're the only one who needs to execute commands as root, you probably don't need sudo... Erik. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message