Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!wuarchive!waikato.ac.nz!aukuni.ac.nz!russell From: russell@ccu1.aukuni.ac.nz (Russell J Fulton;ccc032u) Newsgroups: comp.admin.policy Subject: Re: Policies concerning root privs Message-ID: <1991Jun7.000007.10220@ccu1.aukuni.ac.nz> Date: 7 Jun 91 00:00:07 GMT References: <8560@jhunix.HCF.JHU.EDU> Organization: University of Auckland, New Zealand. Lines: 27 In article I'm sure this has been discussed to death in other groups, but I ->haven't seen it and this seemed to be an appropriate place. -> ->I am responsible for some 40 workstations. These workstations are all ->connected to the Internet, and are dispersed among 18 different ->groups, each of which would like to have root privileges on their ->machines. -> ->Is this a good/bad idea? What policies have various sites developed ->to deal with this question? If it's a bad idea, what are various ->methods for dealing with groups that demand they have root privilege? ->Any advice for sites on how to approach revoking privileges? You could consider something like the sudo program from 'unix system admin handbook' by Nemeth, Snyder and Seebass. It allow you to give some users the ability to execute a restricted set of commands as root. It also logs anything it does. (So if they do stuff things up then at least you know what they did.) This way you can let someone local have access the spool control program and mount but nothing else. Russell. -- Russell Fulton, Computer Center, University of Auckland, New Zealand.