On 6/10/2014 5:37 PM, Dirk Gently wrote:
When the admin adds a login name to /etc/sudoers, he should, likewise, list the programs (and ONLY the programs) which that user needs to be able to run as root.
It is anything BUT a blank check.
At least that's how it has always been configured on the Solaris, HP-UX, Irix, and other commercial unixes that I administrated in the auto industry.
Well, playing the devil's advocate, it is very difficult to control ALL the programs that sudo can invoke. When you start digging into the sudoers man page you will find it has become hopelessly complex to properly set it up such that you can let users do something as simple as cancel a print jobs. I've been given sudo privileged on a few machines to do something that simple, and 9 time out of 10 you can send the admin up a tree when you issue the simple command: sudo -s or sudo sudo /bin/sh There are just way too many things to forget or get wrong when setting up sudoers. I only ran into one geezer (older than me, and I'm no spring chicken) who truly had a good understanding of it and had his Cmnd_Spec_lists) well sorted out. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org