From owner-freebsd-questions Wed Jan 3 21:53: 1 2001 From owner-freebsd-questions@FreeBSD.ORG Wed Jan 3 21:52:59 2001 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from post.mail.nl.demon.net (post-10.mail.nl.demon.net [194.159.73.20]) by hub.freebsd.org (Postfix) with ESMTP id 5C86B37B400 for ; Wed, 3 Jan 2001 21:52:58 -0800 (PST) Received: from [212.238.77.116] (helo=willow.raggedclown.net) by post.mail.nl.demon.net with smtp (Exim 3.14 #2) id 14E3Ka-00025t-00; Thu, 04 Jan 2001 05:52:56 +0000 Received: from buffy.raggedclown.net (btvs.demon.nl [192.168.1.2]) by willow.raggedclown.net (Postfix) with ESMTP id 1E7E05CCD; Thu, 4 Jan 2001 06:50:59 +0100 (CET) Received: by buffy.raggedclown.net (Postfix on SuSE Linux 7.0 (i386), from userid 500) id A14F712C87; Thu, 4 Jan 2001 06:51:11 +0100 (CET) Date: Thu, 4 Jan 2001 06:51:11 +0100 From: Cliff Sarginson To: Doug Young Cc: Tim McMillen , MaTrIxDPN@aol.com, freebsd-questions@FreeBSD.ORG Subject: Re: Su[2] was:(no subject) Message-ID: <20010104065111.A1054@buffy.raggedclown.net> References: <8c.ac9607.278548f5@aol.com> <024d01c07601$6de2d140$847e03cb@apana.org.au> <01010323163004.08422@tim.elnsng1.mi.home.com> <027901c07607$5e899f20$847e03cb@apana.org.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <027901c07607$5e899f20$847e03cb@apana.org.au>; from dougy@bryden.apana.org.au on Thu, Jan 04, 2001 at 02:32:31PM +1000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Jan 04, 2001 at 02:32:31PM +1000, Doug Young wrote: > Hey I'm no expert :) ...... I guess its to do with maximizing security > though. The general idea is to control what applications users can run. Our > policy here is to not have any users (even sysadmins) in wheel group. The > only true root access is at the actual machine & users are given su access > to only those functions necessary for them to do whatever they need. > > > > > > Do you know why not? Details, I need details. :) > > > > > at least add the users to another group & then add the group to > > > wheel, This is plain silly, possibly even more likely to suffer from administrative cockups. And doesn't help one iota ... however far you indirect a user through groups if he ends up as being in group wheel all you have done is complicate things. A good reason to have an alternative entry than group wheel is is if you want to have a root clone with a useable shell, as opposed to "csh". Sudo is a reasonable alternative for controlled root access. Roll on Plan9, no conecpt of a root user in that O/S :) Cliff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message