Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!uwmcsd1!marque!uunet!mcvax!ukc!reading!bru-cc!linda
From: linda@cc.brunel.ac.uk (Linda Birmingham)
Newsgroups: comp.unix.wizards
Subject: Re: Reasons for restricting su privilege?
Keywords: su, restricted-su
Message-ID: <479@Terra.cc.brunel.ac.uk>
Date: 8 Nov 88 15:07:16 GMT
References: <6606@pyr.gatech.EDU> <3948@encore.UUCP>
Reply-To: linda@cc.brunel.ac.uk (Linda Birmingham)
Organization: Brunel University, Uxbridge, UK
Lines: 38

In article <3948@encore.UUCP> bzs@xenna (Barry Shein) writes:
>
>>  I'm having a problem convincing some of the people around
>>  here of the dangers of having several super users.  One of
>>  our faculty members insists upon having the privilege,
>>  for whenever one of the normal super users isn't around.  I've
>>  tried every argument I know, all to no avail.  Any hints?
>>  Any new arguments?  For that matter, give me the old arguments.
>
Try getting hold of the super-user shell which was on the net
early this year. sush is a restricted shell that allows systems
administrators to grant specific limited privileges to users.
All commands that are executed are logged to the system log, as
well as other pertinent information.

I feel strongly that the number of super-users should be limited. It's
hard to trace any "funnys" on the system when a number of people have
had their fingers in the pie. We all have bad days. We all make mistakes.
the more super-users you have the more inconsistencies you are going to
get. The more super-users you have the greater the possibility of a terminal
being accidentally left in root mode, and the greater the possibility of
the password being observed.

However, if you are strict about the number of super-users you should always
make sure one of them IS available or at least can be contacted if possible.

>"lab" happy. Too bad, yer dead meat. On the other hand one has to be
>somewhat sensitive to feelings of being treated like a child or an
>idiot, throwing in the accountability with the privileges should
>accomplish that, after all, that's all you're really trying to get
>across (right?!)

Providing you can prove WHO screwed up the system !!

Linda.
-- 
Brunel University, Uxbridge, Middlesex, England.
janet: linda@uk.ac.brunel.cc |  :-)
uucp:...ukc!cc.brunel!linda  |