Reasons for restricting su privilege?

[Linda Birmingham]

In article <3948 at encore.UUCP> bzs at xenna (Barry Shein) writes:
>
>>  I'm having a problem convincing some of the people around
>>  here of the dangers of having several super users.  One of
>>  our faculty members insists upon having the privilege,
>>  for whenever one of the normal super users isn't around.  I've
>>  tried every argument I know, all to no avail.  Any hints?
>>  Any new arguments?  For that matter, give me the old arguments.
>
Try getting hold of the super-user shell which was on the net
early this year. sush is a restricted shell that allows systems
administrators to grant specific limited privileges to users.
All commands that are executed are logged to the system log, as
well as other pertinent information.

I feel strongly that the number of super-users should be limited. It's
hard to trace any "funnys" on the system when a number of people have
had their fingers in the pie. We all have bad days. We all make mistakes.
the more super-users you have the more inconsistencies you are going to
get. The more super-users you have the greater the possibility of a terminal
being accidentally left in root mode, and the greater the possibility of
the password being observed.

However, if you are strict about the number of super-users you should always
make sure one of them IS available or at least can be contacted if possible.

>"lab" happy. Too bad, yer dead meat. On the other hand one has to be
>somewhat sensitive to feelings of being treated like a child or an
>idiot, throwing in the accountability with the privileges should
>accomplish that, after all, that's all you're really trying to get
>across (right?!)

Providing you can prove WHO screwed up the system !!

Linda.
-- 
Brunel University, Uxbridge, Middlesex, England.
janet: linda at uk.ac.brunel.cc |  :-)
uucp:...ukc!cc.brunel!linda  |