Chris,
Hrmm...
Chris> Sorry for being vague. Ok, I have these in /etc/sudoers for joeuser.
Chris> joeuser is also in the wheel group.
[...]
Chris> I am finding that I need to add joeuser to use pkg_* tools, tcpdump as
Chris> well.
Chris>
Chris> Is this the right way to do this?
Um, these are a *lot* of privileges for a bunch of random users on a
multi-user system. These should not generally be given to users like
this. How many users are you running on these systems? Why do they need
control of the daemons, your startup scripts, and many other important
files?
When you give a setup like this, it looks to be more about a single user
trying to work (say, on a laptop) using OpenBSD as a workstation? I can
not recall if you already provided this information, but, here are some
questions:
1) How many users are on this system?
2) How many need to run these commands?
3) In what environment is this system running [server room,
multi-user workstation, laptop, personal computer]?
Most of these are commands that should only be run by specific groups of
users, who are dealing with isolated parts of the system. If this is a
single-user workstation or roaming machine, then one group, wheel, and
the appopriate user thrown into that group, given permissions to run
anything as root, will probably suffice, because one expects this user
to treat his own account as securely as the root account.
On the other hand, if you have multiple admins, who are in charge of
different areas of the machine, then you probably want to set up groups
for each of these classes of users, and then set sudo permissions based
on this.
Another suggestion is to always require a password when running a sudo
command. After the first entry, you can have a delay before asking for
the password again if the system goes idle, but this helps on two
counts: the user has a chance to double check his work, and if the user
leaves his computer logged in for some reason, someone else getting into
it probably won't readily have the password, and may save a bit of
trouble.
It looks like a lot of these commands have to do with the web server.
The way I have it setup on my machine is that I have a few users given
permissions (because they belong to the webadmin group), to edit web
files, do various things. I could give them permissions as well to edit
select system files, but I'm afraid that's not my goal. It might be
yours, though.
Bottom line, I only expect a single-user workstation/laptop to require
an user to run all these various commands, and that user would be the
main administrator anyways. Hence, wheel group will work fine, and why
not grant any command?
--
((name "Aaron Hsu")
(email/xmpp "[EMAIL PROTECTED]")
(phone "703-597-7656")
(site "http://www.aaronhsu.com";))
[demime 1.01d removed an attachment of type application/pgp-signature]
