On February 4, 2004 08:00 am, Rodolfo J. Paiz wrote: > At 23:00 2/3/2004, you wrote: > >If you disallow root login, you could let users log in as their regular > > id, then use sudo to control what root access is allowed or PAM to > >control who can su to what other accounts. > > You can also improve this by: > > 1. chown root.wheel /bin/su > > 2. chmod 4750 /bin/su > > 3. Add the users who are authorized to become root to the wheel > group with "gpasswd -a user wheel". > > Now, only those users will have access to the "su" command. Other users may > be given administrative privileges for one or more commands with the "sudo" > command. > > > -- > Rodolfo J. Paiz > rpaiz@xxxxxxxxxxxxxx > http://www.simpaticus.com I like that. And not to get into a one up or anything, but if you created a su-users group for those users, you would avoid spilling any other access the wheel group may have. Or use sudo with 'su' as the command set for those users (or their sudo group). You do need to be careful with the other sudo entries as things like vi, vim, less, and more can be broken out of with root access and (i think) no audit trail when run from sudo. You can use rvim for the editor but I don't know about a screen pager. -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list