On 12/14/2011 07:33 PM, Alexander Schreiber wrote:
Also, in true multiuser environments, to limit who is
allowed to destroy the
system when - not if - he fucks up. For instance, for corporate workstations
you might grant everybody in the team/group login access, but only the
official "owner" and the workstation support team gets root access via sudo.
Kerberos is wonderful for this sort of thing; I've used it with great
success. Each user has *their own* root password (or "become root"
password, if you will) in each administrative "realm" (a Kerberos term),
it only works for that user, and on what machine it works is
controllable on a machine-by-machine basis.
-Dave
--
Dave McGuire
New Kensington, PA