user with root priviledge

Jeff Vian jvian10 at charter.net
Tue Apr 20 01:04:52 UTC 2004



Björn Persson wrote:

> Jeff Vian wrote:
>
>> Björn Persson wrote:
>>
>>> If more than one person needs root access, and a few selected 
>>> commands through sudo isn't enough, then surely it's better to have 
>>> multiple root accounts that to share a password.
>>>
>> I disagree!
>>
>> Here is a situation where this does not make sense, and the use of 
>> sudo does make sense
>
>
> You don't need to prove to me that sudo is useful. Please read what I 
> actally write so you don't disagree with something I've never said. I 
> said _if_ there is a situation where _sudo_isn't_enough_, then 
> multiple root accounts with separate passwords is better than multiple 
> administrators sharing one root password. The little typo I made 
> didn't make the sentence that hard to understand did it?
>
>> 3.  An additional valid argument against allowing users to routinely 
>> log in and function as root is that a single careless keystroke can 
>> take the system completely down and cost you (or the company) 
>> thousands or even millions in doing recovery and possible lost 
>> business or sales.
>
>
> And now it seems like you think I've said that users should do 
> everything as root. I haven't. *Of course* you should run commands as 
> root only when absolutely necessary.
>
> Björn Persson
>
Sorry, my reply was not aimed at you.  It was added to voice my reasons 
for being adamantly against having any account other that root with full 
root privledges.

This is what the OP wanted to do, and some have indicated this would be 
OK.  In my opinion it is not.

If your users with root access and sudo access do not communicate enough 
to be able to have one ask the admin who does have the root access to 
assist in the *very few* cases where sudo would not achieve the goal 
then there is a problem.

Also, there _should_ never be a situation where this could occur if the 
user is really trusted with full root access. Sudo can be set up in such 
a way that the trusted user can be given full access to all commands 
that root must run with no restrictions and with the extra layer of 
logging enabled.  On my machines I use sudo to run everything and 
/never/ log in as root at any time other than the first new install and 
configuration.

For those who are unaware of the very flexible configurations available 
with sudo, look at the man pages for sudo, visudo, and sudoers.  It can 
be tailored in any way needed to allow many users access to the commands 
they need and still restrict access to the commands that only a few 
should ever need to just those few.  Sudo is a friend to all system admins.





More information about the fedora-list mailing list