From owner-freebsd-questions@FreeBSD.ORG Thu Feb 22 22:11:33 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7788E16A403 for ; Thu, 22 Feb 2007 22:11:33 +0000 (UTC) (envelope-from jerrymc@gizmo.acns.msu.edu) Received: from gizmo.acns.msu.edu (gizmo.acns.msu.edu [35.8.1.43]) by mx1.freebsd.org (Postfix) with ESMTP id 2EDAA13C428 for ; Thu, 22 Feb 2007 22:11:32 +0000 (UTC) (envelope-from jerrymc@gizmo.acns.msu.edu) Received: from gizmo.acns.msu.edu (localhost [127.0.0.1]) by gizmo.acns.msu.edu (8.13.6/8.13.6) with ESMTP id l1MM9GRP021365; Thu, 22 Feb 2007 17:09:16 -0500 (EST) (envelope-from jerrymc@gizmo.acns.msu.edu) Received: (from jerrymc@localhost) by gizmo.acns.msu.edu (8.13.6/8.13.6/Submit) id l1MM9GtO021364; Thu, 22 Feb 2007 17:09:16 -0500 (EST) (envelope-from jerrymc) Date: Thu, 22 Feb 2007 17:09:16 -0500 From: Jerry McAllister To: Jeffrey Goldberg Message-ID: <20070222220915.GA21246@gizmo.acns.msu.edu> References: <1a61db890702210222h5e7258aaw8c4caac677cd278d@mail.gmail.com> <20070222170214.GA20259@gizmo.acns.msu.edu> <49E26058-A5E3-4F24-9884-CD50BBED3D5E@goldmark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <49E26058-A5E3-4F24-9884-CD50BBED3D5E@goldmark.org> User-Agent: Mutt/1.4.2.2i Cc: questions@freebsd.org Subject: Re: Reg, User rights X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Feb 2007 22:11:33 -0000 On Thu, Feb 22, 2007 at 03:33:50PM -0600, Jeffrey Goldberg wrote: > On Feb 22, 2007, at 11:02 AM, Jerry McAllister wrote: > > >Install and set up sudo (/usr/ports/security/sudo) and create a > >configuration for that user so they can run specific commands that > >you specify and only those commands. This is a very good method, > >but sometimes it takes some careful thought to deal with the various > >commands and their possible arguments that you want to allow or > >disallow. > > This is my choice. I haven't done a careful comparison of all of the > methods you proposed, but I find this the most natural, particularly > after using OS X for 5 years. > > This is what I do for myself (there are no other people with accounts > on the particular machine.) In /etc/passwd I have a normal user and > group that was setup during installation. A added that user to the > wheel group in /etc/groups and configured /usr/local/etc/sudoers with > the line > > %wheel ALL=(ALL) ALL > > This works just fine. Users in the wheel group can use sudo to > execute things as root, but they only need their own passwords. > Root's password is extremely good and basically never used, so it is > stored away in some secure manner and doesn't exist in anybody's head. > > I like the idea of not having to give out a root-like password but > still to require authentication when operating as root. Ever since I > learned this trick from OS X, I've been using it everywhere I can > install sudo. That is probably the best general solution if you want to give overall admin rights. But, often there is a reason to give only a limited set of root (admin) priviledges. Then the sudo config (sudoers) must be more complex and can get tricky if the limits are complicated. ////jerry > > -j > > > -- > Jeffrey Goldberg http://www.goldmark.org/jeff/ >