On Thursday 29 July 2010 11:51:55 Jordon Bedwell wrote:
> On 7/29/10 11:31 AM, Jordan Metzmeier wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > On 07/29/2010 12:22 PM, Boyd Stephen Smith Jr. wrote:
> >> I understand your issues with all but the last one. A user may need
> >> to "sudo su" due to configuration outside of their control. A system
> >> that requires you to "sudo su" for some task is likely misconfigured,
> >> but it is a useful tool to have around, as a user.
> >
> > I no longer configure my machines in a way that it allows a user to gain
> > full root via sudo. However, when I did, I found "sudo -i" to be more
> > appropriate than "sudo su" which seems to be more like "su -l". Of
> > course, you could always do "sudo su -l".
>
> I think the irony is still hitting from: "generally imply a limited,
> incomplete, or flawed understanding of one or more of the tools you are
> using"
Allowing a user to run (sudo su) requires them to have permissions to run the
command output by (which su) from their shell. Allowing a user to run (sudo -
i) requires them to have permissions to run the command output by (awk -F: '$1
== "root" { print $7; }' /etc/passwd | head -n 1). Allowing a user to run
(sudo -s) requires them to have permissions to run the command output by
(which $SHELL) from their shell. These three things are not always the same.
You may have permissions to do one or more of them and still be unable to give
yourself permissions to do all of them (think: SELinux).
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.