I suppose the difference is sudo -- with sudo you have an audit trail of who issued what.
You can limit what the user can do in /etc/sudoers. You could make support only able to issue certain commands.. or you can try excluding commands if you think you can cover them all. (I'd argue the only 'safe' way is to specify what the user can issue - specifying what they 'cannot' issue could be an endless game). Scott On Thu, Jan 22, 2009 at 9:19 AM, John Summerfield < [email protected]> wrote: > Scott Rohling wrote: > >> We implemented this within IBM: >> >> - created userid 'support' on all Linux guests - made it a 'no login' >> user >> - Put support in sudoers to allow commands with NOPASSWD on all guests >> - Distributed the 'authorized_keys' to /home/support/.ssh with the >> support >> user's public key on the central system. >> > > so in effect you have dozens (hundreds) of users all called "support." > > I use the account name "summer" for most machines I use, but I (almost) > always create new keys on each one, and distribute them where needed. > > > You haven't explained to my understanding how your account "support" > differs from "root" in controlling what users might do willfully. I can > see it might prevent some accidents. > > Are your support users prevented from this command? > sudo /bin/bash > > > > -- > > Cheers > John > > -- spambait > [email protected] [email protected] > -- Advice > http://webfoot.com/advice/email.top.php > http://www.catb.org/~esr/faqs/smart-questions.html<http://www.catb.org/%7Eesr/faqs/smart-questions.html> > http://support.microsoft.com/kb/555375 > > You cannot reply off-list:-) > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
