Hacker News new | ask | show | jobs
by klodolph 1037 days ago
You can disable direct root login and force users to login as their own account first. This way, any root login is tracked—you know who logged in as root, because they had to log in as their own account in order to run su.
1 comments
rvnx 1037 days ago
In such case: sudo su, then.

and let sudo verify that the user belongs to the group of allowed sudoers.

No need for the password to the root account.

link
rollcat 1037 days ago
Objection: su is a very simple program that does (approximately) one thing. Meanwhile the sudoers(5) man page starts with an introduction to EBNF grammars.

I strongly prefer doas wherever it's available.

link