SUDO

mark m.roth2006 at rcn.com
Mon Jun 29 19:49:14 UTC 2009


hike wrote:
> On Mon, Jun 29, 2009 at 10:16 AM, Mertens, Bram <mertensb at mazdaeur.com>wrote:
> 
>> I'd like to elaborate on this a bit.
>>
>> The intention of sudo is to allow specific users to execute specific
>> commands while keeping the root account locked down.  In addition sudo
>> provides a trace of which user executed which command in /var/log/secure
>> that can be used for auditing.
>>
>> The sudoers file should allow as little as possible to as few users as
>> possible!
>>
>> If you allow users to execute sudo su - with or without having to enter
>> the root password you gain nothing.  While working as root no actions
>> are logged and all log files can be edited to remove any trace of
>> "illegal" actions.
<snip>
> the op wants to hack the system and gain resources he has no authorization
> for.

Or the managers don't want to share root password, say, with a contractor, who
they've hired as a sysadmin, but will only be there a few months, and they
don't want to have to change root passwords.

	mark




More information about the redhat-list mailing list