Default sudo setup (Was: Re: The Future of Fedora.)

Josiah Royse JROYSE at SYGMAnetwork.com
Wed Dec 10 18:39:25 UTC 2003


> That's definitely a useful idea and worth considering.  I have felt
> for a long time that we need to streamline the local experience
without
> destroying security; that's why I wrote pam_console.
> 
> I think we'd want to do things differently -- using the wheel group
> instead of inventing another group, having a root password by default,
> prompting for root password for users not in the wheel group and for
> their own password for users in the wheel group, but certainly having
> a checkbox for "administrative priviledges" when adding a user
graphically
> and acting on that is worth discussion.
> 
> Other thoughts?
> 
> michaelkjohnson

Concerning permission differences in client machines and servers, care
would have to be taken in an NIS or LDAP environment if the server and
client machines had the same /etc/sudoers file. (Yes, that would be a
sysadmin mistake)  This is, unless the "wheel" group security depended
also on local console access.  This would prevent a local "wheel" group
user (NIS/LDAP) from logging on remotely to another user's machine and
changing settings without being in front of the console.  Makes sense
right?

--Josiah





More information about the fedora-devel-list mailing list