Hey Matt, Thanks for responding, and thanks for your thoughts. Can you amplify a bit? What's the standard practice in your world? When you say: > ... "The ability to restrict what commands a user may run on a per- host > basis." I get the idea, but is this what people (sysadmins) actually do? To me, it seems that user profiles are the way to go, not customizing permissions for each person, per-host. If you have n persons times m hosts, it gets complicated, doesn't it? Matt, I'm asking, trying to learn how real sysadmins in the real world actually manage this. It seems like an important topic. Thanks again, /rich Matt Kolb writes: > On Nov 19, 2007, at 3:00 PM, Richard Wiggins wrote: > >> I'm curious how folks manage access to Administrator accounts. One >> piece of advice is to create a general user account and use it at all >> times except when you need to install a program or make another system >> change. That way it's harder for spyware or other malware to break in. >> My question is whether those of you who manage fleets of machines give >> your end users access to the Administrator account, even if you >> encourage users to follow the above advice. >> You may have noticed that ACNS will be updating the SSL VPN to support >> Mac's new Leopard operating system. Whenever the SSL VPN is updated, >> users need to upgrade the Java client installed on their computers, and >> this requires admin access. (See >> http://servicestatus.msu.edu/status_detail.php?id=1995) >> Obviously you'd want to avoid the scenario where your user is on the >> road and needs to update the client but they don't have Administrator >> access. >> There are other examples. Once I was using a loaner laptop and could >> not connect to a Wi-Fi network on the road because it was not an >> encrypted network, and Windows demands Administrator access to connect >> anyhow. >> During last Friday's wireless test folks needed to be sure they had a >> Java VM installed, and to install a speed test applet. >> Or maybe you need to upgrade software for some reason while on the road. >> OK, enough examples -- I look forward to hearing how you handle this. > > In unixville, we have traditionally used sudo to accomplish this. Taken > from: http://www.courtesan.com/sudo/intro.html > ... "The ability to restrict what commands a user may run on a per- host > basis." > > Solaris provides a really rich RBAC environment which can be used to > provide specific resources to users based on which roles you want them to > have. An interesting (though dated) article on it is here: > http://www.samag.com/documents/s=7667/sam0213c/0213c.htm > > This really isn't probably what you're after Rich, but I figured I'd > provide a *nix perspective anyways ;) > > ./mk > -- > Matt Kolb <[log in to unmask]> > Academic Computing & Network Services > Michigan State University >