On Tue, Jun 24, 2014 at 8:33 AM, Filipe Brandenburger <filbranden@xxxxxxxxxx> wrote: > On Tue, Jun 24, 2014 at 6:27 AM, Renich Bon Ciric > <renich@xxxxxxxxxxxxxxxx> wrote: >> The reason they enable sudo and lock root is to keep better auditing >> options. But, hey, it's not like you're gonna create 20 keys in a >> single server for 20 admins to go in and do stuff. > > Huh, it kind of is... If you create a project and add many users to > it, all of them will get accounts created by google-compute-daemon, so > in effect every user of the project will be able to login to every > compute instance. I currently work on a project with 5 users and all > of us can log in to all instances. If someone else comes along to the > project, we just add them and they get access to all instances > automatically. My only problem with that is that it will create passwordless sudo for all of them. I don't think you want 20 admins in a 20 user server. My point is that, usually, one is admin and he delegates (through sudo, perms and gorups, ACL, SELinux, etc). >> I can live with SSH keys injected to root. A root with it's SSH >> allowing login without-password only. This would be convenient and no >> passwords involved. > > I see value in keeping home directories for each user... For instance, > that means I don't *have* to be root all the time and I don't run the > risk of typing a mistaken command and hosing the box... It also means > I can customize my home with a .bashrc, .vimrc, .gitconfig without > worrying about my colleagues logging in to that box and being annoyed > by my settings taking over. Oh, I agree with you! No need to be root all the time. I'd create mortal user account as well; use root only for admin stuff. But, in the current design, every account you create is root; If they use sudo. That's not so cool... Also, if you're root, you can have ~/.vimrc and ~/.gitconfig without them poluting your users' environment. ;) -- It's hard to be free... but I love to struggle. Love isn't asked for; it's just given. Respect isn't asked for; it's earned! Renich Bon Ciric http://www.woralelandia.com/ http://www.introbella.com/ _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
