> > What I did was to "chown 500 /usr/bin/su" (making it harmless), and to
> > install the skey "su" program as "/usr/local/bin/keysu" (modulo
> > personal preference). Skey's "su" doesn't let root su to other users
> > w/o authentication.
> What's the point of that? As root you can simply:
> execl("/bin/sh", "-i", (char *)0);
> root shouldn't need authentication via su for other UIDs, it only makes
> it a slight hassle to perform normal system administration functions on
> user's directories.
Well, the point here is, if somehow someone snooped a root password or
somehow found out root password, he can't become root using su(1), but
then you may want to make sure you have "secure-ttys" turned on, and
root can't ftp in.