Lowell Gilbert wrote:
Tom Grove <[EMAIL PROTECTED]> writes:

You could even go so far as to limit what he can use sudo on.

$>man sudo

Giving him full root access is probably not a good idea.

In practice, this approach *is* effectively giving him full root
access.  Once you have to give the tech the ability to edit root-owned
files, you have to trust his honesty.
Once any kind of local access is given to a user trust becomes an issue; regardless of root access or not. By only allowing a certain set of commands there would still need to be a great deal of cracking to gain more access. If one just gives out root access no more would need to be done. This is where sudo is unlike root access.
There are some important
advantages to doing it through sudo, though: one is that it makes it
easy for the user to keep track of just the root-privileged commands,
and another is that it's easier for the user to avoid shooting himself
in the foot.
Other advantages to sudo are not having to give out the root password. A possible solution may be using sudo and watch together.
To watch everything done by the remote-connected tech, the most
complete approach is probably watch(8), which is a much simpler way of
getting everything typed on a particular tty.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
While I agree that any kind of raised privilege may not be the best idea, if it is necessary, sudo adds a layer of protection you do not get with straight root.

-Tom

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to