Re: star office debian-correct installation
On Mon, Jun 11, 2001 at 09:10:40AM -0500, Dave Sherohman wrote:
:That is a topic of much debate. In general, I fall on the "sudo is evil"
:side of the fence, but the basic arguments are:
<snip>
:anti-sudo: It allows you to give limited root access to certain users
:without requiring that they know the root password. This allows an
:attacker to obtain elevated privileges on the machine by discovering
:only a user password instead of requiring that they find both a user
:password and the root password.
obviously I'm on the other side of this most religious debate :)
First, I've seen alot of interesting (and just plain dumb too) ways of
breaking into Un*x boxen, but never this one.
More importantly, if someone gets a local user there's a very high
likelyhood they can force root easily from there. My security policy
is based on the presumption that any local account equates to root.
If I was cracking a box and had a choice beween a local root exploit
and using sudo, I'd take the sploit as sudo does logging which I'd
then need to go erase.
Like wise, if you don't trust a user with full root access, for the
love of $DIETY don't give them sudo. I'm sure even if you restricted
the commands to /bin/true someone could find a way to root.
In practice the people who have sudo also have root and we use sudo
mostly to leave an audit trail.
-jon
Reply to: