IME it may be a "real pain" to sudo view every log, but for any time you need accountability, you should either sudo view all logs, or change who owns log files (IE create a log group and give group read access to them). Once you switch to root there's no "reliable" logging of whats going on.
Allowing sudo su - (implied root) is a bad idea, imo.
Rob Marti
________________________________________
From: redhat-list-bounces@xxxxxxxxxx [redhat-list-bounces@xxxxxxxxxx] On Behalf Of mark [m.roth2006@xxxxxxx]
Sent: Monday, June 22, 2009 13:27
To: General Red Hat Linux discussion list
Subject: Re: SUDO
Hike wrote:
> Why?
>
> If the user knows the root password, there is no need.
Ok, let me explain further. We're not talking home systems, we're talking
corporate. And no, *not* everyone knows the root password. In fact, using sudo
su - means they do not have to know it.
>
> If sudo is cofigured correctly, there is no need to "su - root" since
> the user can already run the needed commands.
That depends. Some users - presumably admins - can be configured to allowed to
run only certain commands. Others may need less limited use, and it can be a
lot easier if they can get to root; for example, when I'm going to look at
logs, and only root can read them, or even look in some directories under
/var/log, it's a *real* pain to sudo view every single log.
>
> "man sodu" should explain how to configure sudo and the locatio of the
> configuration file.
>
> Did you stop to think that you might not be permitted to do this with
> sudo or that the "sudo su - root" may need to be defined in the
> configuatio file or that the entire su command mat need to be quoted,
> etc. So that sudo would understsnd?
The original poster did say they thought they'd configured it correctly,
implying - this may not be the case - that they did have access to do this.
mark
>
> On Jun 22, 2009, at 1:27 PM, Matias Nicolas <matiasnicolas@xxxxxxxxxx>
> wrote:
>
>>
>> I know that sudo is for running commands with root privileges but this
>> idea is about typing "sudo su -" and use one's password and not root's.
>>
>>
>>
>> That's all...
>>
>>> Date: Mon, 22 Jun 2009 12:14:41 -0500
>>> From: m.roth2006@xxxxxxx
>>> To: redhat-list@xxxxxxxxxx
>>> Subject: Re: SUDO
>>>
>>> Hike wrote:
>>>> If you have the root password, try the following.
>>>>
>>>> $ su - root
>>>>
>>>> When prompted, enter the root password.
>>>>
>>>> sudo is to permit regular users to run priviledged commands. What you
>>>> are trying td is overly complex and redundant.
>>>>
>>> Not necessarily. A lot of places want more security, and locking down
>>> root.
>>>
>>> mark
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
>> _________________________________________________________________
>> Show them the way! Add maps and directions to your party invites.
>> http://www.microsoft.com/windows/windowslive/products/events.aspx--
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
