Quote:
Originally Posted by gavbam
Hi guys I am running Fedora and I am trying to learn so much about this new jump over to Linux.
(All must be done in bash so I can learn the long way round first)
My problem lies where I have a user who needs to do certain tasks with the same privallges as root.
Would it be best to create a group then add both user and root to that group so they both have admin like privs?
Sorry guys but I am new to this and trying to do and search as much as i can but it looks like I am chasing my tail. thanks in advance.
Gavbam
|
If you're the admin, be very,
VERY careful who you give root (or root privileges) to. They *SAY* they 'need' it, but verify. If they only need to do one thing, use SUDO to ONLY give them that one thing.
Just like adminning a Windows box...you don't pass out admin privs to everyone, and you shouldn't in Linux either. If they don't need it, don't give it. SUDO is a great tool...you can log when commands are run, and only give root-level access to certain commands, to certain people. If you give someone root shell....you'd better be 100% sure you can trust them, AND that they'll own up to mistakes. If the box gets toasted...YOU are the one responsible. They can always say, "yep, I was logged in, and the box just died...". Logs will say that ROOT did command XXXX, and they'll be at your doorstep, wanting to know why, and holding you responsible. That's why it's better to limit what the users can do.
Yes, they'll complain about it, and whine that it's making their jobs harder, etc., etc....but all you have to say to your boss is "Well, they don't need it, and I'm keeping the box secure and running". If the boss insists, get it IN WRITING, and get your boss to sign off on it, and the user too, saying that they know what they're doing, and that the user (not you) is responsible for any damages done due to carelessness. You'll be surprised how often the user will suddenly say "Gee, maybe I can live with 'regular' rights....", when they have to be responsible. And make sure you've got logs going to multiple locations, so they can't be edited/changed to erase things.
Sorry if I sound bitter and cynical, but I've been doing this for a long time, and have been at the receiving end of something like this. Once you cover yourself, you won't have worries. And if the user IS responsible and professional, they'll recognize what you're doing, and appreciate it.