On 01/25/2017 10:14 AM, berndgsflinux wrote:
>
> thanks for your answer. User hacluster works fine.


Glad to hear it. Thanks for posting back your result.

> I don't understand it as a critique. I had this discussion already
> several time, once on an Ubuntu ML.
> I see your point, but i don't agree.
> When i login to one of our servers, this happens because i have
> administrative stuff to do. If i don't have administrative stuff to, i
> don't login in our servers.
> Why should i ?


Perhaps we do different things on servers; a lot of things that I do never
require 'root', such as verifying that services are up, modifying non-root
services (many things on servers do not run as 'root' such as DNS, Apache
httpd, Apache Tomcat, eDirectory, various proprietary applications, etc.)
so going all the way to 'root', vs. the specific account I need (I may be
a group, or I may 'sudo' to become that user) is overkill.

> To edit configuration files, restart services, read logs like
> /var/log/messages i always need root rights.


Yes, for these three things you likely would, though you could probably
remove the last one with a filesystem ACL (FACL) defined once and maybe
also perpetuated via a small change to a logrotate configuration file.

> Of course, i can logon as peterpan, and issue sudo for every command i
> execute. But where is the gain of security, if i issue a "sudo rm -rfv
> /etc" to doing the same being root
> and not using sudo ?


Yes, you would. In my case, anytime I use 'sudo' it means one of two
things for my own process:

1. I try it without root and make sure that the error is what I expect,
such as an error about permissions for the thing I want to
create/change/modify.

2. After typing the command I stop and look at it to be sure it's really
what I want. Did I use relative paths? Do those work where I am? Is
there an absolute path (leading slash) and if so was that intended? Am I
even on the right box for this operation (when SSH'd into a dozen systems
and doing a lot of things in sequence)?

From a step back, using 'sudo' (or equivalent) explicitly implies a focus
on the task at hand and adherence to the principle of Least Privilege
which is good for security, if not operational stability due to accidents
(nuking /etc would certainly count). Take it or leave it. :-)

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...