On Fri, Jan 23, 2009 at 1:43 AM, John Summerfield <[email protected]> wrote:
>> With sudo you get the privileged commands in the system logging and it >> is much easier to understand what happened and who is to blame. > > As I've pointed out before, unless you're really careful it's easily > circumvented, and sometimes allowing someone to do one thing (eg manage > linux user accounts) may allow them more privilege than they should have > (eg create a privileged account and misuse it). Oh sure. I don't give much for the granularity that you can introduce to do per-command authorization with sudo for some people. We used it as big hammer with syslog. And when someone felt the desire to invoke a script of his own under sudo (and thus hide everything that happens inside) he would be taken outside for some education. Clearly "sudo su -" would be a very obvious one to frown upon. Just because you should leave trails for your coworkers. Rob ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
