I have a requirement to give our local computer
security department accounts that have the capability
to view configuration information of our Tru64 5.1
boxes. I have negotiated an arrangement that we will
(change and) give them the root password upon specific
request only, but obviously I would prefer to minimize
their use of the root account/password. We do not use
sudo, nor do I see that it would really address the
problem at hand (if I am wrong, please edify).
My personal account has a primary group of system and
no secondary groups. Using my account, I cannot view
the contents of the /sbin/rc.x directories. To allow
the new computer security accounts to view the rc
directories without being root I gave their accounts a
primary group of system (to allow root) and a
secondary account of bin.
How awful is this configuration? I'm afraid I may
have opened up Mack truck sized holes. What is the
best way to meet the access requirements while
minimizing root usage? Security/Account lectures
and/or references, documents, best practices, etc
welcomed.
Thanks
Bill
__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com
Received on Mon Sep 23 2002 - 16:25:34 NZST