The original question Nate posed was what to do with his issue, which has
not really been addressed. Everyone agrees that sudo is better than su for
security sake. Using a sudo bash (or your favorite shell) would also have a
similar effect to using su with similar security concerns. But these do
not address the error of:
Aug 22 11:21:11 ns su: pam_authenticate: Permission denied
For this, I would look into your sudoers file and read the man page for
sudoers. Also, Andrina posted a great article at:
http://www.afp548.com/article.php?story=20051025103428232 on editing
sudoers.
Personally, I've had a couple of weird issues where I disabled root in
NetInfo and re-enabled root in order to get around some issues that I
encountered with pam errors on root. If you are concerned about other
admins escalating their privileges then this is something that can be
limited in the sudoers file as well. Generally, you can sudo -u <username>
as those users (if you have or can have them type in their passwords) to see
if their permissions will give them access to run commands you do not want
them to run. According to how much time you want to spend you can get very
granular with these controls.
In terms of the issues on client systems, are you able to sudo or su as your
directory administrator account on the client systems (often diradmin)?
Charles Edge, MCSE, ACSA, CCA, CCNA, FM8CD, Net+/Sec+, SCTA
Partner :: 318 :: www.318.com :: 310.581.9500
Author :: Mac Tiger Server Little Black Book
Author :: Web Admin Scripting Little Black Book
Author :: Longhorn Server Little Black Book
On 8/21/06 10:13 PM, "Ansgar -59cobalt- Wiechers" <email@hidden>
wrote:
> On 2006-08-22 Simon Slavin wrote:
>> On 22 Aug 2006, at 5:30am, Ansgar -59cobalt- Wiechers wrote:
>>> On 2006-08-22 JC Derr wrote:
>>>> - sudo doesn't even require enabling the root account.
>>>> - sudo uses the users personal password. as such, if you fire an
>>>> employee you can selectively reject his sudo access without having to
>>>> pass out a new root password to the department.
>>>> - sudo logs more thoroughly (or used to, at least; i haven't used
>>>> 'su' in ages), allowing responsible parties better paper trails when
>>>> hunting down malicious or inept users.
>>>> - sudo (by default) works one-command-at-a-time, making the user
>>>> think a little harder before issuing root commands, hopefully
>>>> avoiding possibly fatal errors.
>>>> - since sudo doesn't (by default) generate an actual shell, you can't
>>>> easily drop into it and walk away, allowing a potential security
>>>> breach.
>>>
>>> That's several advantages "sudo" has over "su". However, if you re-
>>> read my question, you'll probably notice that my question was *not*
>>> about the difference between "sudo" and "su". Instead I was
>>> specifically asking for the difference Simon sees between "sudo -s"
>>> and "sudo su".
>>
>> JC listed them quite neatly for me. While they both give UID 0 the
>> differences in the logging, in what happens if you accidentally type
>> the wrong thing, in enabling the root account, and in paying
>> attention to 'sudoers' make me prefer never to use 'su'.
>
> The only difference in logging that I can see is the command executed by
> sudo: /bin/bash in one case, /usr/bin/su in the other. The root account
> does NOT need to be enabled for "sudo su" to work, and I entirely fail
> to see how "sudo su" would not pay attention to 'sudoers'. I also fail
> to see how there's a difference between "accidentally typing the wrong
> thing in a root shell" and "accidentally typing the wrong thing in a
> root shell".
>
> Could you please actually *READ* a mail before replying to it? Thank
> you.
>
> Regards
> Ansgar Wiechers
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
