Path: utzoo!utgpu!attcan!uunet!husc6!tut.cis.ohio-state.edu!triceratops.cis.ohio-state.edu!karl
From: karl@triceratops.cis.ohio-state.edu (Karl Kleinpaste)
Newsgroups: comp.unix.wizards
Subject: Re: Reasons for restricting su privilege?
Message-ID: <25323@tut.cis.ohio-state.edu>
Date: 21 Oct 88 13:23:40 GMT
References: <6606@pyr.gatech.EDU> <25003@tut.cis.ohio-state.edu> <3185@tekcrl.CRL.TEK.COM>
Sender: news@tut.cis.ohio-state.edu
Lines: 17
In-reply-to: eirik@tekcrl.TEK.COM's message of 20 Oct 88 18:40:42 GMT

eirik@tekcrl.TEK.COM (Eirik Fuller) writes:
   ) Personally, I advocate a menu-driven setuid-root program which allows
   ) for exactly the set of things which a not-normally-administrator
   ) person might possibly have to do in order to stay alive while a real
   ) admin is unavailable.

   Yeah, sure, but what if this spiffy menu contraption allows its luser
   to make new accounts?  "Gee, maybe I'll make an account with uid 0,..."

I guess I can only say that account creation is not something that a
stopgap pseudoadmin would need or be allowed to do.  The definition of
what a pseudoadmin needs to do would have to be decided by experience.

I don't agree with giving out the root password to more than a bare
minimal set.

--Karl