hike wrote: > On Mon, Jun 29, 2009 at 3:49 PM, mark <m.roth2006@xxxxxxx> wrote: >> hike wrote: >>> On Mon, Jun 29, 2009 at 10:16 AM, Mertens, Bram <mertensb@xxxxxxxxxxxx >>> wrote: >>> >>>> I'd like to elaborate on this a bit. >>>> >>>> The intention of sudo is to allow specific users to execute specific >>>> commands while keeping the root account locked down. In addition sudo >>>> provides a trace of which user executed which command in /var/log/secure >>>> that can be used for auditing. >>>> >>>> The sudoers file should allow as little as possible to as few users as >>>> possible! >>>> >>>> If you allow users to execute sudo su - with or without having to enter >>>> the root password you gain nothing. While working as root no actions >>>> are logged and all log files can be edited to remove any trace of >>>> "illegal" actions. >> <snip> >>> the op wants to hack the system and gain resources he has no >>> authorization for. Or the managers don't want to share root password, say, >>> with a contractor, who >> they've hired as a sysadmin, but will only be there a few months, and they >> don't want to have to change root passwords. > > that is a distinction without a difference. > > the op wants to hack the system and gain resources he has no authorization > for. You're completely wrong. If, in my example, the contractor is granted the individual account, and group access to explicitly allow that - and it *is* a specific specification in /etc/sudoers, it may be management's intent to have them do it that way. That was exactly the case for me on a recent contract. My managers told me to do it that way. So, it is both a distinction *and* a difference. mark -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
