From: William Skulley (skulleyw@yahoo.com)
Date: Mon Sep 23 2002 - 12:24:42 EDT
I have a requirement to give our local computer
security department accounts that have the capability
to view configuration information of our Tru64 5.1
boxes. I have negotiated an arrangement that we will
(change and) give them the root password upon specific
request only, but obviously I would prefer to minimize
their use of the root account/password. We do not use
sudo, nor do I see that it would really address the
problem at hand (if I am wrong, please edify).
My personal account has a primary group of system and
no secondary groups. Using my account, I cannot view
the contents of the /sbin/rc.x directories. To allow
the new computer security accounts to view the rc
directories without being root I gave their accounts a
primary group of system (to allow root) and a
secondary account of bin.
How awful is this configuration? I'm afraid I may
have opened up Mack truck sized holes. What is the
best way to meet the access requirements while
minimizing root usage? Security/Account lectures
and/or references, documents, best practices, etc
welcomed.
Thanks
Bill
__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:48:54 EDT