We make fairly heavy use of sudoers file at work. Our backups account, for example, can run rsync without a password, but only when connecting from the backups servers. Our vidcon tech can manage/edit gatekeeper-related stuff on the firewalls but nothing else. Our helpdesk can run specific commands on remote servers, but only when connecting from the board office. And so on.
Much nicer than having 15-odd people knowing the root password.
But, the nicest thing about sudo is that every invocation is logged so we have an audit trail. Someone logged in as root (via console, su, ssh if enabled) can screw something up and we wouldn't know who did what or when.
|