From owner-freebsd-questions@FreeBSD.ORG Thu Feb 22 22:58:51 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 083D616A404 for ; Thu, 22 Feb 2007 22:58:51 +0000 (UTC) (envelope-from jeffrey@goldmark.org) Received: from out5.smtp.messagingengine.com (out5.smtp.messagingengine.com [66.111.4.29]) by mx1.freebsd.org (Postfix) with ESMTP id D3A2F13C47E for ; Thu, 22 Feb 2007 22:58:50 +0000 (UTC) (envelope-from jeffrey@goldmark.org) Received: from out1.internal (unknown [10.202.2.149]) by out1.messagingengine.com (Postfix) with ESMTP id 16B391CF19B; Thu, 22 Feb 2007 16:35:23 -0500 (EST) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by out1.internal (MEProxy); Thu, 22 Feb 2007 16:35:23 -0500 X-Sasl-enc: zjCXVIXaon2n+hN6r/xR0DEO54I1gFdDEum7vqJ9+khu 1172180122 Received: from [10.1.10.136] (n114.ewd.goldmark.org [72.64.118.114]) by mail.messagingengine.com (Postfix) with ESMTP id 930AA14204; Thu, 22 Feb 2007 16:35:22 -0500 (EST) In-Reply-To: <20070222170214.GA20259@gizmo.acns.msu.edu> References: <1a61db890702210222h5e7258aaw8c4caac677cd278d@mail.gmail.com> <20070222170214.GA20259@gizmo.acns.msu.edu> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <49E26058-A5E3-4F24-9884-CD50BBED3D5E@goldmark.org> Content-Transfer-Encoding: 7bit From: Jeffrey Goldberg Date: Thu, 22 Feb 2007 15:33:50 -0600 To: Jerry McAllister X-Mailer: Apple Mail (2.752.2) Cc: questions@freebsd.org Subject: Re: Reg, User rights X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Feb 2007 22:58:51 -0000 On Feb 22, 2007, at 11:02 AM, Jerry McAllister wrote: > Install and set up sudo (/usr/ports/security/sudo) and create a > configuration for that user so they can run specific commands that > you specify and only those commands. This is a very good method, > but sometimes it takes some careful thought to deal with the various > commands and their possible arguments that you want to allow or > disallow. This is my choice. I haven't done a careful comparison of all of the methods you proposed, but I find this the most natural, particularly after using OS X for 5 years. This is what I do for myself (there are no other people with accounts on the particular machine.) In /etc/passwd I have a normal user and group that was setup during installation. A added that user to the wheel group in /etc/groups and configured /usr/local/etc/sudoers with the line %wheel ALL=(ALL) ALL This works just fine. Users in the wheel group can use sudo to execute things as root, but they only need their own passwords. Root's password is extremely good and basically never used, so it is stored away in some secure manner and doesn't exist in anybody's head. I like the idea of not having to give out a root-like password but still to require authentication when operating as root. Ever since I learned this trick from OS X, I've been using it everywhere I can install sudo. -j -- Jeffrey Goldberg http://www.goldmark.org/jeff/