In Friday 22 May 2009, Glyn wrote: >--- On Fri, 22/5/09, Boyd Stephen Smith Jr. <bss@iguanasuicide.net> wrote: >> Glyn Astill wrote: >> > ALL=(All) ALL is a bad idea. >> >> Um, no. With 'ALL=(ALL) ALL' they would still have to >> type in their >> password unless they had recently given their >> credentials. If you want to >> you can turn off the caching of credentials, so that sudo >> always asks for a >> password. You can also have it ask for the target >> user's password instead >> of the source user's password, if you like. >> >> 'ALL=(ALL) ALL' is no more dangerous than having the 'su' >> binary available. >> >> The NOPASSWD option is not the default. > >No. For su they'd have to enter the root password, for sudo su they'd just > have to enter the password of the current user and they are root. 1. That depends on how the administrator has configured sudo; my openSUSE laptop asks for root's password when my user runs sudo. 2. That is an advantage, not a disadvantage in many environments; the more a password is shared the harder it is to protect and change. 'ALL=(ALL) ALL' is differently secure than have a 'su' binary around, but it is not more or less secure. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.