[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: permissions/sudo/sudoers

On Tue, 2 Apr 2013 12:43:56 -0600
Bob Proulx <bob@proulx.com> wrote:

> (Use 'visudo -f /etc/sudoers.d/local-foo' explicitly.)  But
> it makes upgrades easier so I do it this way.

What is so difficult about that and sudoers could be for users and
sudoers.d for dev changes. You could even only warn upon uncommented
entries. Compare kdmrc with lightdm.conf.

The mergers really should be cleverer too. It is not difficult to check
the part that you are changing has not changed.

Which is easier between kdmrc and lightdm.conf before the removal of
commented entries and which has the most forum posts asking about
examples, it is lightdm.conf. Ok so kdmrc seperating out into a seperate
file like sudoers.d would be better with no merging by the system as
long as you don't end up with lots of files rather than 2 like file-rc
(I prefer) compared to the symlink mess. Or even worse sudo with polkit
which expects users to allow default generalities and encourages them
to copy and paste as root and use a browser even on servers.

I have to say I am surprised there are so many threads saying polkit is
superior without justification when it is clearly inferior to sudo and
simply duplicates security consideration and gives 20x the auditing

I did leave one useful tip out too.

Default:username timestamp_timeout=0 will make sudo ask for the
password for that particular user everytime and I believe can be used on
the fly. There is no necessity to use just one user for admin.

Reply to: