sudo and /etc/sudoers

Mark Haney mhaney at ercbroadband.org
Tue Dec 30 19:17:50 UTC 2008 

Res wrote:
> On Mon, 29 Dec 2008, Derek Broughton wrote:
> 
>> LOL.  What a ridiculous attitude from somebody who claims to be an expert.
>> _Somebody_ has to run root programs, and ime it is both possible and
> 
> there is asuch a thing called automation, maybe use dictionary.com if you 
> dont know what it means.

Yes, automation is great, however, how do you propose keeping people out 
from mucking with the script (if there is one)?  Sure there are 
permissions, etc, but a non-privileged user account that any script runs 
under that needs root access for anything, still needs sudo.

And if you just throw all your scripts in the root account that either 
need SOME root access or none at all, that's insanity.  The point is, 
some users need root access to manage certain things.  It's a fact of 
life.  What ANY good admin needs to do is setup a detailed audit trail 
of who has done what and when.  That also requires knowing who is using 
root permissions for what.  Just handing out root's pwd is irresponsible 
at best and (can be) criminal at worst.

Besides, not everything can be replaced with a small shell script.  I 
know I've tried.  My wife didn't find it funny.  :)




> 
>> large server systems, I am one of the two prime administrators - neither one
>> of us actually has the root password, which _does_ exist but only the
>> daytime computer room operator has.  Works fine.
> 
> Then you cant be trusted enough, so the daytime guy gets killed in a car 
> accident or is dismissed, someone else needs to know it, especially in teh 
> later case to change it.
> 
> 

Oh?  He can't be trusted enough with root yet he has root access via 
sudo?  How do you reconcile that?  There's nothing stopping him from 
sudo'ing in and changing root's pwd if he so desires, but he has no need 
to.  What would it get him besides fired?  You're looking at this ALL 
wrong.  If a real sysadmin can't be trusted with root (in your world 
anyway) then NO ONE can.  So how does any administration get done 
without it?

This entire thread is just silly.  Anyone with real sysadmin experience 
can tell you that sudo is infinitely safer than just root.  Anyone who's 
ever had to setup real granular user permissions knows that in a large 
environment having someone who has root permissions to setup printers 
and nothing else can save the Admin TONS of time by not having to deal 
with it and delegate that one function to someone who can handle that 
ONE function.

If you don't get it, well that's not my fault.



-- 
Frustra laborant quotquot se calculationibus fatigant pro inventione 
quadraturae circuli

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

More information about the ubuntu-users mailing list