On Sun, 2002-10-06 at 00:51, David Guntner wrote: > James Sparenberg grabbed a keyboard and wrote: > > > > On Sat, 2002-10-05 at 14:52, Toshiro wrote: > > > > > > What's the point in doing that way? When you use ssh, the communication > > > is encrypted. I don't see the advantage of ssh as a normal user first. > > > > From having had it save my buns... Big advantage is that you know who > > su'd to root. I had a boy genius who "discovered" root from one of my > > employee's logged in su'd and made some changes he wanted ... ie opening > > up some ports for a file sharing software that he wanted to use company > > bandwidth for. The only reason we caught it was because of the su... > > now granted this has been a couple of years but it does illustrate a > > use. (One reason I like the BSD style su over linux) The advantage.... > > paper trail so to speak. > > BTW, if you haven't already seen it, Vince wrote an exellent piece on the > Mandrake Security site regarding a way of locking up su. Basically, you > remove the suid bit from /bin/su, which makes it impossible for someone who > knows the root password from su'ing to root (since it has to run with root > privs to do its thing). Then you set up the people that you want to have > access in the /etc/sudoers file and let *them* access root. They would > then use the command "sudo su" to switch. The downside is that if one of > those people have their password compromised, then someone will have access > to root if they know about it and are accessing the compromised account. > The upside is that the action *will* be logged, so you'll at least know it > happened. It's a thought, anyway. > > --Dave
Dave, Does have advantages, I just wish I could set Linux up to do su like FreeBSD does. ONLY the users put into group wheel can su to root. period. access to files is determined by the groups you are in. If wwww is the group for you web server and you aren't in www you can't see or change those files... Makes group management a bit more tricky and probably isn't very user friendly for a desktop. But on a server with 100's of users limiting those who can go to root to 1 or 2 makes security a lot easier to manage. James
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
