[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reporting missing package during install

Andrei POPESCU writes:
 > On Lu, 09 dec 13, 09:09:11, Gian Uberto Lauri wrote:
 > > 
 > > What are the benefits of The "Macintosh/Ubuntu" use of sudo? Improved
 > > security? Are you kidding? Whatever the user I compromise I have root
 > > access, just type "sudo bash".
 >  
 > sudo doesn't make this worse, just slightly easier. Compromising any 
 > user account used for getting root is equivalent to getting root on the 
 > system.

sudo makes it a bit worse. Any user account opens the door to the root
account. Therefore you have to guard a larger perimeter.

 > > Furthermore the  sudo habit of  keeping valid an authentication  for a
 > > certain amount  of time  seems like  an open  door for  malicious code
 > > injection.
 > 
 > 1. this can be turned off

It should by default, or the configuration should be more flexible and
interactive.

Even rewriting the configuration-file-handling-code in sudo could be a
good idea :>.

 > 2. it's still better than having to require a password every time the 
 > user runs 'sudo <command>', because the net effect would be that most 
 > would disable the password completely or just leave a 'sudo -i' session 
 > active for ever (and not lock their screen, etc.)

Teach them to use a root session that must be handled with exteme
care.

I have to do X commands as root? I su root, do the X command and close
the session.

With the off-the-shelf configuration, the simplest thing to do is sudo
bash.

(BTW, I work with a root-dedicated terminal with proper "scary" icon and
color theme to remind me that it's a "dangerous" environment).

 > > And if  this not enough, sudo  may become disruptive on  machines with
 > > several users, unless  all of them have the  required skills (included
 > > the  one of  stopping and  asking advice!)  and common  administration
 > > policies are accepted by all.
 > 
 > Sorry, but I don't think it's fair to blame 'sudo' for the fact that the 
 > system administrator granted sudo privileges to the wrong users. You 
 > can't solve social problems by technical means.

I blame the default configuration sudo is shiwpped with.

Andrei, I never walked in your shoes  so I can't do assumption on your
experiences.

Mine talk about a group with a sysadmin where having "all this
freedom" to sudo lead to a waste and misallocation of resources that
took some *months* to fix.

Yes, policies should have prevented this, but this use of sudo leads
users to feel less "the danger" that lies beneath using administrative
privileges in a system. It's a psychological barrier that you should
not underestimate.

-- 
 /\           ___                                    Ubuntu: ancient
/___/\_|_|\_|__|___Gian Uberto Lauri_____               African word
  //--\| | \|  |   Integralista GNUslamico            meaning "I can
\/                 coltivatore diretto di software       not install
     già sistemista a tempo (altrui) perso...                Debian"

Warning: gnome-config-daemon considered more dangerous than GOTO
Reply to: