Topic: To SU or not SU?

[Steve Davis]

I want to add some user accounts as admin users and want to know the best way to do this.
I am looking at visudo and vipw, which have only admin and root as the superuser accounts.

Can I modify these files with out hurting the scripts in my 5.1.2 install?

Steve

[jrp2]

I believe you are fine using sudo.  I have heard of others using it with no problems and can't see any situation where that would break the SME architecture.

The main thing you have to worry about is them doing damage while being admin.  Adding users, changing passwords, etc. using the normal linux CLI tools is a big no-no and will cause lots of problems.  Just make a very strong point to them NOT to do that and to use the web-based server-manager wherever possible.

[Steve Davis]

jrp2 wrote:
>
> I believe you are fine using sudo.  I have heard of others
> using it with no problems and can't see any situation where
> that would break the SME architecture.
>
> The main thing you have to worry about is them doing damage
> while being admin.  Adding users, changing passwords, etc.
> using the normal linux CLI tools is a big no-no and will
> cause lots of problems.  Just make a very strong point to
> them NOT to do that and to use the web-based server-manager
> wherever possible.

That is not quite what I was asking.

How do i GIVE root priviledges to a user, thus keeping them from using root?

[Rich Lafferty]

I'm not sure what you mean when you say that's not what you're asking, since
you asked how to give root privileges to a user, and sudo is a good way of doing
that.

Sudo ought to work fine for you -- that's what we use internally. I'd recommend
creating a group via the server-manager and adding to that group the users
you want to have root privileges, and then giving the group, not individual
users, privileges in /etc/sudoers (via visudo!):

%groupname ALL=(ALL) ALL

visudo and vipw are *compiled programs* used to edit the password file
and the sudoers file; you shouldn't change those (and I'm not sure how you
could, other than breaking them entirely or replacing them). But the file
/etc/sudoers, edited by visudo, is not templated and is how you configure
sudo to grant root privileges to regular users when they need them.

Specifically, you do not want to make other users UID 0. (Also, note that
"admin" is not "root".)

Hope this helps,

  -Rich

[Steve Davis]

Rich Lafferty wrote:
>
> I'm not sure what you mean when you say that's not what
> you're asking, since
> you asked how to give root privileges to a user, and sudo is
> a good way of doing
> that.
>
> Sudo ought to work fine for you -- that's what we use
> internally. I'd recommend
> creating a group via the server-manager and adding to that
> group the users
> you want to have root privileges, and then giving the group,
> not individual
> users, privileges in /etc/sudoers (via visudo!):
>
> %groupname ALL=(ALL) ALL
>
> visudo and vipw are *compiled programs* used to edit the
> password file
> and the sudoers file; you shouldn't change those (and I'm not
> sure how you
> could, other than breaking them entirely or replacing them).
> But the file
> /etc/sudoers, edited by visudo, is not templated and is how
> you configure
> sudo to grant root privileges to regular users when they need
> them.
>
> Specifically, you do not want to make other users UID 0.
> (Also, note that
> "admin" is not "root".)
>
> Hope this helps,
>
>   -Rich


This is what I wanted. I did not know the particulars of editing with visudo.

Thanks, Steve