Re: Reporting missing package during install
Andrei POPESCU writes:
> On Lu, 09 dec 13, 09:09:11, Gian Uberto Lauri wrote:
> >
> > What are the benefits of The "Macintosh/Ubuntu" use of sudo? Improved
> > security? Are you kidding? Whatever the user I compromise I have root
> > access, just type "sudo bash".
>
> sudo doesn't make this worse, just slightly easier. Compromising any
> user account used for getting root is equivalent to getting root on the
> system.
sudo makes it a bit worse. Any user account opens the door to the root
account. Therefore you have to guard a larger perimeter.
> > Furthermore the sudo habit of keeping valid an authentication for a
> > certain amount of time seems like an open door for malicious code
> > injection.
>
> 1. this can be turned off
It should by default, or the configuration should be more flexible and
interactive.
Even rewriting the configuration-file-handling-code in sudo could be a
good idea :>.
> 2. it's still better than having to require a password every time the
> user runs 'sudo <command>', because the net effect would be that most
> would disable the password completely or just leave a 'sudo -i' session
> active for ever (and not lock their screen, etc.)
Teach them to use a root session that must be handled with exteme
care.
I have to do X commands as root? I su root, do the X command and close
the session.
With the off-the-shelf configuration, the simplest thing to do is sudo
bash.
(BTW, I work with a root-dedicated terminal with proper "scary" icon and
color theme to remind me that it's a "dangerous" environment).
> > And if this not enough, sudo may become disruptive on machines with
> > several users, unless all of them have the required skills (included
> > the one of stopping and asking advice!) and common administration
> > policies are accepted by all.
>
> Sorry, but I don't think it's fair to blame 'sudo' for the fact that the
> system administrator granted sudo privileges to the wrong users. You
> can't solve social problems by technical means.
I blame the default configuration sudo is shiwpped with.
Andrei, I never walked in your shoes so I can't do assumption on your
experiences.
Mine talk about a group with a sysadmin where having "all this
freedom" to sudo lead to a waste and misallocation of resources that
took some *months* to fix.
Yes, policies should have prevented this, but this use of sudo leads
users to feel less "the danger" that lies beneath using administrative
privileges in a system. It's a psychological barrier that you should
not underestimate.
--
/\ ___ Ubuntu: ancient
/___/\_|_|\_|__|___Gian Uberto Lauri_____ African word
//--\| | \| | Integralista GNUslamico meaning "I can
\/ coltivatore diretto di software not install
già sistemista a tempo (altrui) perso... Debian"
Warning: gnome-config-daemon considered more dangerous than GOTO
Reply to: