One last rant on sudo...accountability. It's a lot easier to tell who actually did a sudo <command> versus root issuing <command>.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Lightner Sent: Thursday, January 26, 2006 2:26 PM To: David Rock; veritas-bu@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] login as unix user Hasn't been an issue for me - only one place I worked at had separate backup admins. Everywhere else the Unix Admins were also the Backup Admins. The place where backup admins were separate was the place that made the most extensive use of sudo and like I said it didn't have root shell for them or anyone other than the Unix admins. Anyway the idea wasn't to avoid all root access but to restrict it to only those commands necessary. Anything that can be scripted can be made into a sudo command. The command runs as root but doesn't give access to root. Personally I've never much cared for "we have other holes so why fix any" approach to security. Even if there are back door ways to get root the idea of security is to harden the target. Its much like putting a lock on your door and having an alarm system in your house. It may not prevent all possible break-ins but it will at least limit the likelihood. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Rock Sent: Thursday, January 26, 2006 11:07 AM To: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] login as unix user * Paul Keating <[EMAIL PROTECTED]> [2006-01-26 10:32]: > In other words, if you want root access, you can give it to yourself. > :o) Or at the very least, make _sure_ management understands that you are not responsible for maintaining the environment at that point. Something goes wrong with a tape drive or the server needs to be rebooted, _they_ better be willing to get someone in place at 2am to take care of it because you can't. -- David Rock [EMAIL PROTECTED] _______________________________________________ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu _______________________________________________ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu _______________________________________________ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu