On Ma, 28 ian 20, 08:24:29, David Wright wrote:
My view is that more damage is done to home systems by the sysadmins
than by external malice, so anything that protects the system from
such damage is a useful resource. I think that selective sudo¹
provides one way of reducing damage by separating critical operations
(done by su'ing to root) from the benign day-to-day maintenance
done using sudo.
¹ by selective sudo I mean
$ sudo some-command …
$
Do you mean setting up sudo only for specific commands? That is surely
useful to delegate specific tasks (e.g. 'apt update && apt upgrade') to
an advanced user.
rather than the locked-up sudo-only scheme that you can select with
the debian-installer. I'm not familiar with the latter.
Debian's sudo setup is quite simple: members of group 'sudo' get full
root privileges by providing their *own* password. 'sudo some-command'
works, as well as 'sudo -i' to get a root shell. Root logins (an
consequently also 'su') are disabled.
In my opinion sudo is best used something like:
$ sudo apt update
$ apt search some_string
$ apt show some_package
$ sudo apt install some_package
$ man some_program
$ sudo some_program do_stuff_requiring_root
etc.