On Thu, Feb 22, 2007 at 03:33:50PM -0600, Jeffrey Goldberg wrote:

> On Feb 22, 2007, at 11:02 AM, Jerry McAllister wrote:
> 
> >Install and set up sudo  (/usr/ports/security/sudo) and create a
> >configuration for that user so they can run specific commands that
> >you specify and only those commands.   This is a very good method,
> >but sometimes it takes some careful thought to deal with the various
> >commands and their possible arguments that you want to allow or
> >disallow.
> 
> This is my choice.  I haven't done a careful comparison of all of the  
> methods you proposed, but I find this the most natural, particularly  
> after using OS X for 5 years.
> 
> This is what I do for myself (there are no other people with accounts  
> on the particular machine.)  In /etc/passwd I have a normal user and  
> group that was setup during installation.  A added that user to the  
> wheel group in /etc/groups and configured /usr/local/etc/sudoers with  
> the line
> 
>   %wheel  ALL=(ALL)       ALL
> 
> This works just fine.  Users in the wheel group can use sudo to  
> execute things as root, but they only need their own passwords.   
> Root's password is extremely good and basically never used, so it is  
> stored away in some secure manner and doesn't exist in anybody's head.
> 
> I like the idea of not having to give out a root-like password but  
> still to require authentication when operating as root.  Ever since I  
> learned this trick from OS X, I've been using it everywhere I can  
> install sudo.

That is probably the best general solution if you want to give
overall admin rights.   But, often there is a reason to give
only a limited set of root (admin) priviledges.  Then the sudo
config (sudoers)  must be more complex and can get tricky if
the limits are complicated.

////jerry
> 
> -j
> 
> 
> -- 
> Jeffrey Goldberg                        http://www.goldmark.org/jeff/
> 
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to