I don't like the idea of giving the root password to each individual who needs
superuser priviledges. I'd rather give each individual their own superuser
id.
This makes indviduals more accountable for what they do with superuser privs.
It also prevents them from logging on to root directly.
On Ultrix and OSF/1 with enhanced security turned off, this is easy; I just
assign multiple userids to UID 0. On ULTRIX with enhanced security on, I can't
do that; but I can assign my "superusers" individual uids but set the shell in
the password file to a program that swithces the user's ruid to 0 before
invoking their login shell. In this way, the audit logs retain the user's
original id (auid) while running as superuser.
However, on OSF/1 with enhanced security on, this changing ruid strategy
doesn't seem to work. OSF/1 won't execute the user's login shell properly.
It won't execute their .login or .profile. And I assume there's other
"gotchas" that I haven't run across yet since OSF/1 security is quite a bit
tighter that ULTRIX.
How can I give selected users superuser privs without giving them direct
access to root?
Thanks in advance
Received on Sat Jul 08 1995 - 07:55:32 NZST