Thanks to all who replied.
Here is my original post:
We would like to stop logging in as root everytime we have to check
something on the system. We fear that one day, we will make THE mistake and
destroy something important by error.
What is the easiest way to create an 'admin' account that we could use in
such a way that if we have to do something to the system, we would just
'su', do it, then exit ?
What we've done right now is create an admin user, belonging to group
'users' and to group 'system'. The problem with it is that I fear this
admin user can still destroy important things in the system.
For example, I created a file with user 'root' somewhere, and I then used
the 'admin' account to try to delete that file, ex.:
darwin# touch /etc/foo.bar
darwin# su - admin
darwin> rm foo.bar
rm: Override protection 644 for foo.bar?
If I type 'y', I get an:
darwin> rm: foo.bar: Permission denied
Other than using 'sudo', is there an easy way to have an 'ordinary' user
being able to su root but in a way that does not generate the 'override
...' message and only gives a 'permission denied message' ?
=======================================================================
And the solution(s) we'll take:
a) Instead of giving the system group membership to our 'admin' user (which
is still too powerful in our point of view) we will only give it 'users'
group membership. If we really need to su, we will use 'su - root' instead
of just 'su'. What we expected by giving the 'admin' user the system group
membership was that this user will get 'read-only' privileges to all files
but could not destroy anything, it does not seem to be that easy.
b) We will compile 'sudo' (I've got an old version on the Nemeth et al
book, if you know of a better/newer one, your suggestions/pointers are
welcome) and use it with our 'admin' user.
Thanks again
Guy Dallaire
dallaire_at_total.net
"God only knows if god exists"
Received on Wed Apr 23 1997 - 22:14:05 NZST