Björn Persson wrote:
Sorry, my reply was not aimed at you. It was added to voice my reasons for being adamantly against having any account other that root with full root privledges.Jeff Vian wrote:
Björn Persson wrote:
If more than one person needs root access, and a few selected commands through sudo isn't enough, then surely it's better to have multiple root accounts that to share a password.
I disagree!
Here is a situation where this does not make sense, and the use of sudo does make sense
You don't need to prove to me that sudo is useful. Please read what I actally write so you don't disagree with something I've never said. I said _if_ there is a situation where _sudo_isn't_enough_, then multiple root accounts with separate passwords is better than multiple administrators sharing one root password. The little typo I made didn't make the sentence that hard to understand did it?
3. An additional valid argument against allowing users to routinely log in and function as root is that a single careless keystroke can take the system completely down and cost you (or the company) thousands or even millions in doing recovery and possible lost business or sales.
And now it seems like you think I've said that users should do everything as root. I haven't. *Of course* you should run commands as root only when absolutely necessary.
Björn Persson
This is what the OP wanted to do, and some have indicated this would be OK. In my opinion it is not.
If your users with root access and sudo access do not communicate enough to be able to have one ask the admin who does have the root access to assist in the *very few* cases where sudo would not achieve the goal then there is a problem.
Also, there _should_ never be a situation where this could occur if the user is really trusted with full root access. Sudo can be set up in such a way that the trusted user can be given full access to all commands that root must run with no restrictions and with the extra layer of logging enabled. On my machines I use sudo to run everything and /never/ log in as root at any time other than the first new install and configuration.
For those who are unaware of the very flexible configurations available with sudo, look at the man pages for sudo, visudo, and sudoers. It can be tailored in any way needed to allow many users access to the commands they need and still restrict access to the commands that only a few should ever need to just those few. Sudo is a friend to all system admins.
