Scott Rohling wrote:
I suppose the difference is sudo -- with sudo you have an audit trail of who
issued what.
Sure. Whoever's using the support account at the time.
You can limit what the user can do in /etc/sudoers. You could make support
only able to issue certain commands.. or you can try excluding commands if
you think you can cover them all. (I'd argue the only 'safe' way is to
specify what the user can issue - specifying what they 'cannot' issue could
be an endless game).
If I must configure bind, maybe I need a text editor. If I can use a
text editor maybe I can edit /etc/sudoers
People make mistakes, it's in our nature. When it happens, it's probably
not helpful to know (by evidence) who did it. Blaming someone does not
undo the problem and it does not make anyone happier.
What you need to understand is how it happened, and then maybe you need
to change procedures to ensure it doesn't recur, and you need to train
people in the new procedures.
Making sure people can't do bad things, and if they do then catching
them, that's another problem.
Scott
On Thu, Jan 22, 2009 at 9:19 AM, John Summerfield <
[email protected]> wrote:
Scott Rohling wrote:
We implemented this within IBM:
- created userid 'support' on all Linux guests - made it a 'no login'
user
- Put support in sudoers to allow commands with NOPASSWD on all guests
- Distributed the 'authorized_keys' to /home/support/.ssh with the
support
user's public key on the central system.
so in effect you have dozens (hundreds) of users all called "support."
I use the account name "summer" for most machines I use, but I (almost)
always create new keys on each one, and distribute them where needed.
You haven't explained to my understanding how your account "support"
differs from "root" in controlling what users might do willfully. I can
see it might prevent some accidents.
Are your support users prevented from this command?
sudo /bin/bash
Are they?
--
Cheers
John
-- spambait
[email protected] [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
