Dne 27.5.2012 17:02, Hans Witvliet napsal(a):
On Fri, 2012-05-25 at 20:24 -0300, Claudio Freire wrote:
On Fri, May 25, 2012 at 8:07 PM, Hans Witvliet
wrote: b) in a large company specific roles are assigned to certain users, Those users should only be troubled with their own pwd, and should never have access to neither root-pwd nor root-privileges.
Dedicated accounts with their own pwd are a nightmare for an organisation.
What do you mean with that? I can only parse that sentence to mean all users should have the same password, which seems quite unlikely to be what you meant as that's nonsense.
Perhaps mistaken, but i got the impression that privileges for maintaining , for instance a printer, would be given to a dedicated _user_ account (with its own pwd) instead of giving the privilege to a group. Although it might lead to a working situation, if you need dozens of accounts& pwd to do your job, the situation got worse instead of better/safer.
It will always depend on the granularity we need. If you would assign each user permission to each operation, it would turn into mess. What makes IMO more sense it to define more high-level roles, which would be assigned operations which they are allowed to perform, and assign the roles to users (multiple roles to a user, and multiple users having the role). Imagine on printing, you can have following operations: - reconfigure options of a printer queue - create a new printer queue - reorder the jobs in a queue - cancel a job (belonging to any user) and probably more. Then you can have high-level roles - printer admin (getting all of the above) - printer operator (getting the third and fourth) While we should come with sane defaults, this concept gives system admins a flexibility to define their roles. Jiri
And against gaining root privileges with sudo: A work somebody implented it, and it ended up in a huge mess. the person asked for it so he could start/stop apache and mysql and so on. but some weeks later on whe found out that was doing totally other things (changing network addresses, which caused a lot of trouble) (Probably he implemented it the wrong way, but still it leaves a bitter taste)
hw
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org