Re: What can't sudo do?

To: debian-user@lists.debian.org
Cc: Bill Moseley <moseley@hank.org>
Subject: Re: What can't sudo do?
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 16 Mar 2004 00:40:05 +0000
Message-id: <[🔎] 20040316004005.GD2394@riva.ucam.org>
Mail-followup-to: debian-user@lists.debian.org, Bill Moseley <moseley@hank.org>
In-reply-to: <[🔎] 20040315225249.GC5390@hank.org>
References: <[🔎] 20040315225249.GC5390@hank.org>

On Mon, Mar 15, 2004 at 02:52:49PM -0800, Bill Moseley wrote:
> Currently, my account where I spend most of my time is a normal account
> and the only way to do root stuff is to su to root.  If I use sudo (to
> try and provide most admin functions) then I would worry because my
> normal account then has more privileges that I'd want.  Then someone only
> need to gain access to my account instead of root.  Can't ssh to root,
> but can ssh to my account, etc.

But your setup has more or less the same properties: someone only has to
gain access to your account, wait until you next type 'su', and then
sniff your password. Easy. sudo with NOPASSWD makes it pretty blatantly
equivalent, sure, but I would consider any account that regularly
escalates to root to be security-equivalent to root.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

Follow-Ups:
- Re: What can't sudo do?
  - From: Steve Lamb <grey@dmiyu.org>

References:
- What can't sudo do?
  - From: Bill Moseley <moseley@hank.org>

Prev by Date: Re: Pinning
Next by Date: Can dselect display get shown on a serial console?
Previous by thread: Re: What can't sudo do?
Next by thread: Re: What can't sudo do?
Index(es):
- Date
- Thread