kenn@h4.dion.ne.jp wrote:
> 
> On Mon, 20 Aug 2001 08:34:43 -0500, David Burgess <burgess@neonramp.com> wrote:
> > Do what I do (22 machines, 8 admins).
> >
> > - Give each person a login account on the machines in question.
> > - Make each person a member of the wheel group.
> > - Disable root login via ssh.
> > - Have them log in as themselves.
> > - Have them 'su'.
> >
> > This way, my root passwords are kept one layer away from the Internet
> > and I know who did what as root, since the 'su' is logged.
> 
> Maybe I'm missing something here, but isn't it safer to have them
> 'sudo' instead of 'su'?  That way, you never have to give the real
> root password out to anyone.  Plus, you can restrict what they can do
> based on their skill level, etc.  I'm not 100% sure but I think sudo
> is or can be logged, too.

'sudo' would probably be better, but most of the things these folks
to need real root access (editting config files, modifying various  
user parameters, editting scripts, etc.).  A lot of these things
defy the easy use of sudo.

Still, it is a good reminder.

Dave