In <email@example.com>, Tyler Smith wrote: >Kelly Clowers <firstname.lastname@example.org> writes: >> On Sun, Nov 14, 2010 at 23:20, Andrei Popescu <email@example.com> >> wrote: >>> On Du, 14 nov 10, 20:54:42, Bob Proulx wrote: >>>> And if 'sudo' isn't configured for you then that is the first thing >>>> that you will want to do. :-) >>>> >>>> # visudo >>>> rob ALL=(ALL) ALL >>> >>> What's wrong with su? >> >> It is the The Wrong Way(TM), because it involves giving everyone the >> root password >> and unlimited authority, and it has very little in the way of logging. Just want to interject that the logging in sudo is largely pointless if you allow ALL binaries, any shell, or most editors to be executed directly. It is quite east to subvert by invoking a shell or otherwise having the binary read and fork()/exec() stuff. >Doesn't the 'ALL=(ALL) ALL' line give the user unlimited authority >anyways? Is there any security benefit to logging in as a user with >unlimited sudo access over just logging in as root? > >I don't see the point of sudo *except* to allow fine-grained control to >select programs to select users. Using it to provide open access seems >counter-productive. A shared password is a compromised password. Even when "ALL=(ALL) ALL" is used, sudo avoids having the root password be shared, which is a good thing if there are multiple administrators. On a single-user system, many of the security enhancements that sudo provides are rather pointless. However, in that situation using the NOPASSWD option allows sudo to go the opposite way -- slightly less secure -- in favor of (what some would call) more ease of use. I encourage sudo use everywhere, because it is simply a better tool than su, but for purposes of this thread any way you want to get root permissions is fine. -- Boyd Stephen Smith Jr. ,= ,-_-. =. firstname.lastname@example.org ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Description: This is a digitally signed message part.