[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Too many admins..

To: Majestic One <mirror.world@usa.net>
Subject: Re: Too many admins..
From: Trevor Schroeder <tschroed@acm.org>
Date: Fri, 2 Jul 1999 09:28:55 -0500 (CDT)
Cc: List -- OpenBSD <misc@openbsd.org>

On Fri, 2 Jul 1999, Majestic One wrote:

> we have a couple of boxes and are four admins. I find myself (and 
> others) working as root to often. So I wounder is there a group I can 
> place myself and the others in so I can work as normal user but have 
> root capabilities. Meaning if i create a file it is owned by me but 

Yes and no.  There are some groups that tend to have higher priviledges (by
the filesystem, not by the kernel.  AFAIK, the kernel only recognizes
UID 0 as special.  It doesn't give a flying foo what your GID is).

However, neither is anywhere near givivg you superuser perms.  If they
were, why not just su?  (That's the classic UNIX attitude: only 1
superuser.  Personally, I can think of a reason or two)

Anyhow, wheel and operator typically have access to some extra files.
(though often it's read-only)  You could also set up sudo.

The question in either case is:  what sorts of tasks does everyone need to
be doing?  If each person only has a small set of tasks they need to be
doing, putting them in a group (not even necessarily wheel or operator) and
downing some chown-chmod dances dances may be sufficient.  Otherwise, sudo
probably will be.

On the other hand, if they need to do general administrative tasks on all
the boxen, then what you're talking about is full superuser access.  I've
got a situation like this in a lab.  I like to maintain one password across
systems (so there's a hint if you ever wann crack me -- get my password on
one box and you've probably got it elsewhere ;).  Since I'm not real keen
on giving out the root password to every machine in the cluster, I set it
up so that the machine that a particular needs superuser access on grants
them permission to sudo su.  (although even then, the appearance of
security is largely fictitious since I'm not doing root_squash on my NFS
exports, but at least they have to have malicious intent to do something
nasty as root on another box.)
.......................................................................
: "Welcome to NSA's Web Server!"                   : Trevor Schroeder :
:                     -- National Security Agency  : tschroed@acm.org : 
:........... http://www.zweknu.org/ for PGP key and more .............:

Follow-Ups:
- Re: Too many admins..
  - From: Diana Eichert <deichert@wrench.com>

References:
- Too many admins..
  - From: "Majestic One" <mirror.world@usa.net>

Prev by Date: Re: Easy Installs
Next by Date: Re: Too many admins..
Prev by thread: Too many admins..
Next by thread: Re: Too many admins..
Index(es):
- Date
- Thread