Reg, User rights

Jeffrey Goldberg jeffrey at goldmark.org
Thu Feb 22 22:58:51 UTC 2007


On Feb 22, 2007, at 11:02 AM, Jerry McAllister wrote:

> Install and set up sudo  (/usr/ports/security/sudo) and create a
> configuration for that user so they can run specific commands that
> you specify and only those commands.   This is a very good method,
> but sometimes it takes some careful thought to deal with the various
> commands and their possible arguments that you want to allow or
> disallow.

This is my choice.  I haven't done a careful comparison of all of the  
methods you proposed, but I find this the most natural, particularly  
after using OS X for 5 years.

This is what I do for myself (there are no other people with accounts  
on the particular machine.)  In /etc/passwd I have a normal user and  
group that was setup during installation.  A added that user to the  
wheel group in /etc/groups and configured /usr/local/etc/sudoers with  
the line

   %wheel  ALL=(ALL)       ALL

This works just fine.  Users in the wheel group can use sudo to  
execute things as root, but they only need their own passwords.   
Root's password is extremely good and basically never used, so it is  
stored away in some secure manner and doesn't exist in anybody's head.

I like the idea of not having to give out a root-like password but  
still to require authentication when operating as root.  Ever since I  
learned this trick from OS X, I've been using it everywhere I can  
install sudo.

-j


-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/



More information about the freebsd-questions mailing list