On Thu, Feb 22, 2007 at 03:33:50PM -0600, Jeffrey Goldberg wrote: > On Feb 22, 2007, at 11:02 AM, Jerry McAllister wrote: > > >Install and set up sudo (/usr/ports/security/sudo) and create a > >configuration for that user so they can run specific commands that > >you specify and only those commands. This is a very good method, > >but sometimes it takes some careful thought to deal with the various > >commands and their possible arguments that you want to allow or > >disallow. > > This is my choice. I haven't done a careful comparison of all of the > methods you proposed, but I find this the most natural, particularly > after using OS X for 5 years. > > This is what I do for myself (there are no other people with accounts > on the particular machine.) In /etc/passwd I have a normal user and > group that was setup during installation. A added that user to the > wheel group in /etc/groups and configured /usr/local/etc/sudoers with > the line > > %wheel ALL=(ALL) ALL > > This works just fine. Users in the wheel group can use sudo to > execute things as root, but they only need their own passwords. > Root's password is extremely good and basically never used, so it is > stored away in some secure manner and doesn't exist in anybody's head. > > I like the idea of not having to give out a root-like password but > still to require authentication when operating as root. Ever since I > learned this trick from OS X, I've been using it everywhere I can > install sudo.
That is probably the best general solution if you want to give overall admin rights. But, often there is a reason to give only a limited set of root (admin) priviledges. Then the sudo config (sudoers) must be more complex and can get tricky if the limits are complicated. ////jerry > > -j > > > -- > Jeffrey Goldberg http://www.goldmark.org/jeff/ > _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"