On Sun, May 28, 2006 at 08:22:06AM -0600, Joseph Smidt wrote: > Is there any way to make the sudo password different from the login > password? Wouldn't that make it more secure? That would make two passwords > you have to get through to have root access vs. one.
Yes, but it doesn't really make sense according to the originally intended paradigm. Sudo was intended to allow system administrators to grant normal users authority to run specific applications with elevated (or just different) priveledges, and to keep a comprehensive log of such activity. Requesting the password was intended as a way to make sure that the person executing the command was the intended user (or someone who at least knew the users password), and not somebody taking advantage of an unattended terminal. If, on the other hand, sudo is used to give a user permission to run a shell or similarly open ended application as root, then it is effectively being used as an alternative to 'su', with the detailed logging purely optional and with more than one allowable root password, resulting in a substantial reduction in security. You can configure it to ask for the root password or target user password instead of the invoking user's password. See sudoers(5). It isn't obvious to me what you would gain by doing this over just using su - other than letting non-wheel users use the root password. I suspect what you are thinking of would be some option to store encrypted passwords in the sudoers file, effectively providing some sort individual super user password to different users. There might be something to be said for that if sudo is going to be used as an open ended 'su' alternative, but as far as I know it is not currently supported. Regards, DigbyT -- Digby R. S. Tarvin digbyt(at)digbyt.com http://www.digbyt.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
