Date: Thu, 22 Feb 2007 17:09:16 -0500 From: Jerry McAllister <jerrymc@msu.edu> To: Jeffrey Goldberg <jeffrey@goldmark.org> Cc: questions@freebsd.org Subject: Re: Reg, User rights Message-ID: <20070222220915.GA21246@gizmo.acns.msu.edu> In-Reply-To: <49E26058-A5E3-4F24-9884-CD50BBED3D5E@goldmark.org> References: <1a61db890702210222h5e7258aaw8c4caac677cd278d@mail.gmail.com> <20070222170214.GA20259@gizmo.acns.msu.edu> <49E26058-A5E3-4F24-9884-CD50BBED3D5E@goldmark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 22, 2007 at 03:33:50PM -0600, Jeffrey Goldberg wrote: > On Feb 22, 2007, at 11:02 AM, Jerry McAllister wrote: > > >Install and set up sudo (/usr/ports/security/sudo) and create a > >configuration for that user so they can run specific commands that > >you specify and only those commands. This is a very good method, > >but sometimes it takes some careful thought to deal with the various > >commands and their possible arguments that you want to allow or > >disallow. > > This is my choice. I haven't done a careful comparison of all of the > methods you proposed, but I find this the most natural, particularly > after using OS X for 5 years. > > This is what I do for myself (there are no other people with accounts > on the particular machine.) In /etc/passwd I have a normal user and > group that was setup during installation. A added that user to the > wheel group in /etc/groups and configured /usr/local/etc/sudoers with > the line > > %wheel ALL=(ALL) ALL > > This works just fine. Users in the wheel group can use sudo to > execute things as root, but they only need their own passwords. > Root's password is extremely good and basically never used, so it is > stored away in some secure manner and doesn't exist in anybody's head. > > I like the idea of not having to give out a root-like password but > still to require authentication when operating as root. Ever since I > learned this trick from OS X, I've been using it everywhere I can > install sudo. That is probably the best general solution if you want to give overall admin rights. But, often there is a reason to give only a limited set of root (admin) priviledges. Then the sudo config (sudoers) must be more complex and can get tricky if the limits are complicated. ////jerry > > -j > > > -- > Jeffrey Goldberg http://www.goldmark.org/jeff/ >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070222220915.GA21246>