On 2018-08-07 at 09:22, Dave Sherohman wrote: > On Tue, Aug 07, 2018 at 08:07:56AM -0400, The Wanderer wrote: > >> On 2018-08-07 at 07:47, Martin wrote: >> >>> The point is not, that ONE person needs a root password. All >>> people intended to do privileged things will have to share this >>> password. This is a security nightmare! >> >> If they're all trusted enough to be trusted with that password in >> the first place, this isn't a problem, any more than the one person >> having it is. >> >> If they aren't trusted enough to have that password, why are we >> permitting them to do anything root-level in the first place? > > It's not just a question of trust, but also one of maintenance. > What happens when one of the people with root access gets a new job? > > Using su and a shared root password: > - Disable the person's account. > - Change the root password. > - Find a secure way to distribute the new password to all the people > it's shared by. > > Using sudo: > - Disable the person's account. > - Remove the account from /etc/sudoers and/or the sudo group. > > Everyone else with root access is completely unaffected by the > departure.
That's a valid point. I'm not sure it's enough to outweigh the other factors underlying my opinion on the subject (especially not since the computers I'm working with in the cases at hand aren't work machines, they're home systems, and the "other users" are either family members or close friends - although I'll admit the scope of the discussion is broader than that), but it's definitely an important consideration, and there are contexts in which it could trump. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
signature.asc
Description: OpenPGP digital signature
