Re: Security of sudo [was: Re: /usr/bin before /usr/local/bin?]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A long time ago, in a galaxy far, far way, someone said...
> I'm of the same opinion with regard to sudo. Basically, if you're the
> sort of person who never passes your password over the network in
> plaintext (ie., ssh, apop, etc.), then it's unlikely someone will be
> able to sniff your password. If an unpriveleged account is compromised,
> chances are it will be without the password (ie., a buffer overrun in a
> daemon running as something like nobody). Even if an attacker is able to
> get a shell running as your user, they still don't have access to the
> password file, and if they did, would have to decrypt your password.
>
> Without actually knowing your password, which sudo requires, having your
> account *isn't* equivalent to having root.
There's also the side benefit that you can give limited root access to
people you only sorta trust with administrative duties, especially since
you don't need to give out the root password anymore :)
sudo rocks, btw. It should be standard equipment on any and all
Linux/unix systems. But only on OpenBSD is that so :(
> Of course, I might have missed something somewhere... Anyone?
What about the people who do something like this with their sudo entry:
username ALL = NOPASSWD: ALL
Able to execute any command as root without giving any sort of
authorization information...
The power to do it is there. Someone's bound to do it.
- --
- ----------------------------------------------------------------------
Phil Brutsche pbrutsch@tux.creighton.edu
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5/6EM/ZTSZFDeHPwRAq/pAJ0YyaeC86V4z+aZHvxUz+wLmsJxqACeK988
rzh5rLsWaYVUrK3OahtDloM=
=llc5
-----END PGP SIGNATURE-----
Reply to: