> The easiest way to do this that I can think of involves
> changing root's
> passwd to something that cannot be used. *X* or something like that
> ought to do. Then, make 'su' executable only by root. (You probably
> can't delete it outright, many cron scripts rely on it being there.)
>
> Then, make sure your 'sudo' is there, working, with a nice
> /etc/sudoers
> file.
>
> Now, root can't login if root has to, and the only 'easy' way to get
> root access is through sudo. (This might cause problems if you have to
> do maintainence on the machine. :)

This seems like a bad idea to me.

While forcing everything through sudo sounds good on the surface, it creates
a huge administration nightmare. You will need to track and configure every
possible application that might need root privileges.

Sure it be a fairly easy (if large) job to figure out what you are using
today but what about tomorrow? What about 6 months from now? What about 2
years from now? What about when you install a new application?

Or are you going to put visudo into sudo's config? Kinda defeats the
purpose doesn't it?

Dave.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]