| 1 |
gentoo-security@l.g.o |
| 2 |
|
| 3 |
(Sorry, Mr. Aleksandrovich, and possibly other people, for the double |
| 4 |
post. I wasn't paying attention, and gmail is being indecisive) |
| 5 |
|
| 6 |
Well, call me precaffeinated if you must, but if you're only using it |
| 7 |
locally, and also have root login, you can make it passwordless, so |
| 8 |
that no one can use it to login, and only root can do a su emerge, but |
| 9 |
it's a bit of a weird thing to do. |
| 10 |
But as I recall, you can specify, in sudoers, the ability for |
| 11 |
*specific* users to su to *specific* other users. So I don't seen a |
| 12 |
reason you couldn't make a 'sudo su emerge' work with a passwordless |
| 13 |
emerge account. |
| 14 |
|
| 15 |
It's a little moot, because you want them to only have temporary full |
| 16 |
(read: root) access while emerging, and that's -never- going to be |
| 17 |
secure, you might as well give them admin rights and get it over with, |
| 18 |
rather than hacking funky effective-group running combined with sudo |
| 19 |
or something odd like that. |
| 20 |
|
| 21 |
(at uni we used to have test systems, for things like kernel module |
| 22 |
development, that had a 'sudo su root' option. *waits for minds to |
| 23 |
boggle* Yeah. I still don't get exactly why. I mean, assuming there's |
| 24 |
a vague point to sudo su nonroot, there's basically none to sudo su |
| 25 |
root. Perhaps in this case, where you cold enable specific users to do |
| 26 |
that, but on these systems anyone could, iirc...) |
| 27 |
|
| 28 |
--Bart Alewijnse |
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-security@g.o mailing list |
Archives