On Feb 5, 2008 12:31 PM, Brian D. Ropers-Huilman <brian at ropers-huilman.net> wrote: > On a Macintosh or in the *buntu model, the first user created > typically has "full" sudo rights and can do anything on the machine. > This is _still_ a better security model than allowing root to login to > the box (locally or remotely) and having a root password set. I accidentally sent that before completing it. By limiting root access to sudo commands, you force the user into a mode of consciously making the decision to take administrative actions. Back in the day, it was not at all uncommon for an administrator (or user with such priveleges) to login as root and operate that way on the machine, all day long. This is a huge security exposure. Not having a root password, preventing remote and local root logins, and explicitly controlling access to root-level administrative commands is definitely a better way to fly. -- Brian D. Ropers-Huilman, Director Systems Administration and Technical Operations Minnesota Supercomputing Institute <bropers at msi.umn.edu> 599 Walter Library +1 612-626-5948 (V) 117 Pleasant Street S.E. +1 612-624-8861 (F) University of Minnesota Twin Cities Campus Minneapolis, MN 55455-0255 http://www.msi.umn.edu/