Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Hide all low UID users from the login window' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Hide all low UID users from the login window
Authored by: greed on May 24, '06 02:48:32PM

You can use 'sudo -u username' instead of gatewaying through root.

First, use visudo to edit the sudoers file.

Next, you want to add something like this:

dbauser ALL=(postgres) /usr/local/bin/psql, /usr/local/bin/pg_dump

Make dbauser a comma-separated list of all users you need. ALL means any machine; if you're sharing the sudoers file among several machines, then you can put a specific hostname here. The name in parens is the "sudo as" user, it can be a comma-separated list also if you like. (apache,mysql,postgres,mailman) for example. Then a list of allowed commands, or the magic word ALL to allow any command.

Users then can "sudo -u postgres /usr/local/bin/psql", and use their own password, to run as the database superuser.

This is, IMO (and IME), much better than having shared passwords on such accounts. There's several security benefits, AND your users have fewer passwords to remember, so easier to avoid writing them down in a bad place.



[ Reply to This | # ]