Re: best practices for administration

[Joel]

> The nexus of my query lies in my attempt to have our central IT folks
(B> issue additional identities for users to have when administering the
(B> systems versus doing productivity work on them. I'd like to understand
(B> what is done generally when granting users permissions to do things on
(B> the operating system that imply 'administration', ie installing
(B> software, adding printers, modifying system scripts, etc. There are
(B> some here who think that putting standard user ID's into
(B> administrative 'groups' is sufficient for granting such priveledges.
(B
(BUsers will always resist anything that will cause them to type in
(Banother password to get their job done.
(B
(BProbably you want to mix approaches a bit. 
(B
(BCertain tasks will warrant a separate login, in part to sandbag against
(Btrojans and other malware. If you do set up such accounts, make sure
(Bbrowsing-type accounts are not allowed to sudo to admin-type accounts,
(Band establish a policy of not using su from the browsing accounts.
(B(Helps keep any keyloggers from getting at abuseable passwords.) I'd
(Beven suggest not allowing login from the browsing accounts, but I
(Bhaven't yet figured out how to effectively
(B
(B    sudo -u joe2 webbrowser .
(B
(BHeh.
(B
(BOne difficulty is getting users into the habit of knowning when to share
(Bfiles with themselves.
(B
(B--
(BJoel Rees   <[EMAIL PROTECTED]>
(Bdigitcom, inc.   $B3t<02qhttp://www.ddcom.co.jp> **
(B
(B_______________________________________________
(Bfreebsd-questions@freebsd.org mailing list
(Bhttp://lists.freebsd.org/mailman/listinfo/freebsd-questions
(BTo unsubscribe, send any mail to "[EMAIL PROTECTED]"