>Someone made the suggestion of creating pseudo user accounts, rather than
>giving users root access to a system. Is there such a thing?
Yes. You can create special accounts for particular purposes. In this
way, privileges can be restricted to exactly what the service needs and
Another approach is to allow a user to assume the identity of another
user for specific tasks only. This is what the 'sudo' tool allows you
Quote:>I guess they want to be able to give users a high level of access to the
>system without actually supplying the root password. Does this make sense?
Yes, and sudo supports this, but don't hand out root privileges if you
can avoid it. This is where the 'pseudo' user accounts can be helpful.
For instance, when I installed the 'updatedb' program, which indexes the
ile system to allow fast filename searches with locate(1), I decided
it should only be able to read the files that *any* user can read, and
the indexes it writes should not be writeable by any other user. So I
created a 'find' account to run updatedb as. Nobody can log in as 'find'.
Another example: let's suppose you want to delegate the installation
and upgrading of the Apache webserver to some other user, without
tying it to their normal account. This makes sense if the maintainer
is likely to change often, or simply for accounting purposes. You can
create an 'apache' user'; the whole Apache software installation belongs
to this user, and the actual Apache maintainer logs in as 'apache' to do
maintenance. The only thing that requires root permission is the actual
start of the server, if it runs on the standard port; either you leave
this task with root or you use sudo to allow 'apache' root privileges
for this one specific command. This is a much safer approach than
handing out the root password to a person who only needs it to restart
Apache once in a while.