steve_c
July 14th, 2009, 03:01 AM
While I feel like this is a long shot I just wanted to check.
Is it possible to create a sudoers file such that members of a certain group (for instance, %admin) have sudo powers for *nearly* everything, but can never become root nor edit things (e.g., the sudoers and/or passwd files) such that they can become root?
At my work we're debating bringing on more people for systems administration whereas previously I'd been the only one. I'm sure by policy I can get the new sysadmin(s) to use their own accounts and sudo to perform their work, but I was wondering (mostly for the sake of auditing) if there was a way to enforce that they were not doing work as root? Disabling the root account entirely is not an option for policy reasons.
Thank you for any help.
Is it possible to create a sudoers file such that members of a certain group (for instance, %admin) have sudo powers for *nearly* everything, but can never become root nor edit things (e.g., the sudoers and/or passwd files) such that they can become root?
At my work we're debating bringing on more people for systems administration whereas previously I'd been the only one. I'm sure by policy I can get the new sysadmin(s) to use their own accounts and sudo to perform their work, but I was wondering (mostly for the sake of auditing) if there was a way to enforce that they were not doing work as root? Disabling the root account entirely is not an option for policy reasons.
Thank you for any help.