gpg: failed to create temporary file '/var/lib/lurker/.#lk0x5773e100.hantslug.org.uk.24996': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Sun May 13 10:19:11 2007 BST
gpg: using DSA key 2099B64CBF15490B
gpg: Can't check signature: No public key
On Sun, May 13, 2007 at 09:51:43AM +0100, Stephen Davies wrote:
> Sean,
> My take on su vs sudo is that with su and giving the root password to a
> user is a positive action.
Adding someone to sudoers is also a positive action. They can also
be added with only access to specific commands.
> Just like in your work environment it can be positively controlled
> and even time limited rather than with sudo.
Not sure what you mean here but I'd be surprised if sudo couldn't
fit into whatever it is.
> Yes the user (sudo) has to be allowed to use sudo but IMHO, this
> is still a weakness only one password needs to be cracked/exosed
Users with sudo access should be as competent about password
management as the people who hold the real root password. They
often are the exact same people and sudo is only being used for
extra accountability (it's a big win that it logs each and every
command).
In the event of a user password being compromised, if that user uses
sudo then what they did is logged, which is a far better state of
affairs compared to what happens if the real root password is
leaked. By almost never using the real root passwords it is far
easier to keep them from leaking.
> and ironically a strength as it is easier to manage for non
> experts.
I've trained sales in the use of sudo, can't get much more
non-expert than that without leaving the species. The less they
need to do the simpler it is.
If someone can't handle sudo it is hard to see how they can be
trusted with the root password.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB
My words are my own and do not represent Jacqui Caren.
