|P is for Practical|
Allowing Bob SUDO access to the box could be very very bad, if he truly is a problem. On the other hand, allowing Bob into the access group that can run the apache restart program via a suid bit, means that the only damage he can effectively do (besides erasing config files) is starting and stoping the web server; the rest of the box remains secure.
Either I miss somthing either you ignore that sudo can be configured to grant precise/limited access to some prog.
Here I allow user1,user2,user3 (WEBMASTERS's sudo group) to use apachectl
Here I allow user2,user3 (SYSADMINS's sudo group) to use the ueber-elite /bin/wiz command
Here I allow user4 (DUMBUSERS's sudo group) to use the /bin/blah (I really don't trust him ;-)
If an intruder compromise the user4 account he can't do more than executing /bin/blah.
Sudo offer tons of other features (ask for passwd, execute under other UID...).
You really should give it a try...
"Only Bad Coders Code Badly In Perl" (OBC2BIP)
In reply to Re: Re: Re: Re: Executing Root Commands from user level