Date: Thu, 4 Jan 2001 06:51:11 +0100 From: Cliff Sarginson <cliff@raggedclown.net> To: Doug Young <dougy@bryden.apana.org.au> Cc: Tim McMillen <timcm@umich.edu>, MaTrIxDPN@aol.com, freebsd-questions@FreeBSD.ORG Subject: Re: Su[2] was:(no subject) Message-ID: <20010104065111.A1054@buffy.raggedclown.net> In-Reply-To: <027901c07607$5e899f20$847e03cb@apana.org.au>; from dougy@bryden.apana.org.au on Thu, Jan 04, 2001 at 02:32:31PM %2B1000 References: <8c.ac9607.278548f5@aol.com> <024d01c07601$6de2d140$847e03cb@apana.org.au> <01010323163004.08422@tim.elnsng1.mi.home.com> <027901c07607$5e899f20$847e03cb@apana.org.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 04, 2001 at 02:32:31PM +1000, Doug Young wrote: > Hey I'm no expert :) ...... I guess its to do with maximizing security > though. The general idea is to control what applications users can run. Our > policy here is to not have any users (even sysadmins) in wheel group. The > only true root access is at the actual machine & users are given su access > to only those functions necessary for them to do whatever they need. > > > > > > Do you know why not? Details, I need details. :) > > > > > at least add the users to another group & then add the group to > > > wheel, This is plain silly, possibly even more likely to suffer from administrative cockups. And doesn't help one iota ... however far you indirect a user through groups if he ends up as being in group wheel all you have done is complicate things. A good reason to have an alternative entry than group wheel is is if you want to have a root clone with a useable shell, as opposed to "csh". Sudo is a reasonable alternative for controlled root access. Roll on Plan9, no conecpt of a root user in that O/S :) Cliff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010104065111.A1054>