Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Feb 2007 17:09:16 -0500
From:      Jerry McAllister <>
To:        Jeffrey Goldberg <>
Subject:   Re: Reg, User rights
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Thu, Feb 22, 2007 at 03:33:50PM -0600, Jeffrey Goldberg wrote:

> On Feb 22, 2007, at 11:02 AM, Jerry McAllister wrote:
> >Install and set up sudo  (/usr/ports/security/sudo) and create a
> >configuration for that user so they can run specific commands that
> >you specify and only those commands.   This is a very good method,
> >but sometimes it takes some careful thought to deal with the various
> >commands and their possible arguments that you want to allow or
> >disallow.
> This is my choice.  I haven't done a careful comparison of all of the  
> methods you proposed, but I find this the most natural, particularly  
> after using OS X for 5 years.
> This is what I do for myself (there are no other people with accounts  
> on the particular machine.)  In /etc/passwd I have a normal user and  
> group that was setup during installation.  A added that user to the  
> wheel group in /etc/groups and configured /usr/local/etc/sudoers with  
> the line
>   %wheel  ALL=(ALL)       ALL
> This works just fine.  Users in the wheel group can use sudo to  
> execute things as root, but they only need their own passwords.   
> Root's password is extremely good and basically never used, so it is  
> stored away in some secure manner and doesn't exist in anybody's head.
> I like the idea of not having to give out a root-like password but  
> still to require authentication when operating as root.  Ever since I  
> learned this trick from OS X, I've been using it everywhere I can  
> install sudo.

That is probably the best general solution if you want to give
overall admin rights.   But, often there is a reason to give
only a limited set of root (admin) priviledges.  Then the sudo
config (sudoers)  must be more complex and can get tricky if
the limits are complicated.

> -j
> -- 
> Jeffrey Goldberg              

Want to link to this message? Use this URL: <>