Reg, User rights
Jerry McAllister
jerrymc at msu.edu
Thu Feb 22 22:11:33 UTC 2007
On Thu, Feb 22, 2007 at 03:33:50PM -0600, Jeffrey Goldberg wrote:
> On Feb 22, 2007, at 11:02 AM, Jerry McAllister wrote:
>
> >Install and set up sudo (/usr/ports/security/sudo) and create a
> >configuration for that user so they can run specific commands that
> >you specify and only those commands. This is a very good method,
> >but sometimes it takes some careful thought to deal with the various
> >commands and their possible arguments that you want to allow or
> >disallow.
>
> This is my choice. I haven't done a careful comparison of all of the
> methods you proposed, but I find this the most natural, particularly
> after using OS X for 5 years.
>
> This is what I do for myself (there are no other people with accounts
> on the particular machine.) In /etc/passwd I have a normal user and
> group that was setup during installation. A added that user to the
> wheel group in /etc/groups and configured /usr/local/etc/sudoers with
> the line
>
> %wheel ALL=(ALL) ALL
>
> This works just fine. Users in the wheel group can use sudo to
> execute things as root, but they only need their own passwords.
> Root's password is extremely good and basically never used, so it is
> stored away in some secure manner and doesn't exist in anybody's head.
>
> I like the idea of not having to give out a root-like password but
> still to require authentication when operating as root. Ever since I
> learned this trick from OS X, I've been using it everywhere I can
> install sudo.
That is probably the best general solution if you want to give
overall admin rights. But, often there is a reason to give
only a limited set of root (admin) priviledges. Then the sudo
config (sudoers) must be more complex and can get tricky if
the limits are complicated.
////jerry
>
> -j
>
>
> --
> Jeffrey Goldberg http://www.goldmark.org/jeff/
>
More information about the freebsd-questions
mailing list