Re: Sudo

To: debian-user@lists.debian.org
Subject: Re: Sudo
From: David Wright <deblis@lionunicorn.co.uk>
Date: Wed, 29 Jan 2020 20:16:51 -0600
Message-id: <[🔎] 20200130021651.GA7383@wren.corp>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20200129070443.tsaybp2tu6umvt5t@cbuster.nuvreauspam>
References: <[🔎] 535ac734-0358-46b0-8304-1690af182b11@www.fastmail.com> <[🔎] 20200125094027.459b355d@debian9> <[🔎] CAMPM96oqF3roezHJVpmNn4MhwA0H-dCCQ5Cv-BhjOGHiVsejPA@mail.gmail.com> <[🔎] 20200125192839.285394d3@debian9> <[🔎] 20200127162130.2sslznyfq5m4a2vn@cbuster.nuvreauspam> <[🔎] 20200127130117.5036c1f0@debian9> <[🔎] 20200128081618.3et5ehty3bnk3i44@cbuster.nuvreauspam> <[🔎] 20200128142429.GA11735@wren.corp> <[🔎] 20200129070443.tsaybp2tu6umvt5t@cbuster.nuvreauspam>

On Wed 29 Jan 2020 at 09:04:43 (+0200), Andrei POPESCU wrote:
> On Ma, 28 ian 20, 08:24:29, David Wright wrote:
> > 
> > My view is that more damage is done to home systems by the sysadmins
> > than by external malice, so anything that protects the system from
> > such damage is a useful resource. I think that selective sudo¹
> > provides one way of reducing damage by separating critical operations
> > (done by su'ing to root) from the benign day-to-day maintenance
> > done using sudo.
> > 
> > ¹ by selective sudo I mean
> > 
> > $ sudo some-command …
> > $ 
> 
> Do you mean setting up sudo only for specific commands? That is surely 
> useful to delegate specific tasks (e.g. 'apt update && apt upgrade') to 
> an advanced user.

Yes, though I have to be the "advanced" user as there's no other candidate.
(Note that there's no password prompt between those two bash prompts.)
I add commands to my sudoers files on the basis of how frequently I
need them and how benign they are. I gave a few examples a couple of
posts ago.

> > rather than the locked-up sudo-only scheme that you can select with
> > the debian-installer. I'm not familiar with the latter.
> 
> Debian's sudo setup is quite simple: members of group 'sudo' get full 
> root privileges by providing their *own* password. 'sudo some-command' 
> works, as well as 'sudo -i' to get a root shell. Root logins (an 
> consequently also 'su') are disabled.
> 
> In my opinion sudo is best used something like:
> 
> $ sudo apt update
> $ apt search some_string
> $ apt show some_package
> $ sudo apt install some_package
> $ man some_program
> $ sudo some_program do_stuff_requiring_root
> etc.
> 
> Hope this explains,

Well, there would be corner cases I'd want to find out about before
I'd change my habits. For example, how does this scheme affect
# scp … root@somewhere:
and
$ scp … root@somewhere:
Also unanswered from two posts ago: "what happens when you boot into
single/recovery mode from grub—what are you presented with?"

Lastly, what are the benefits that I would reap from changing over?

Cheers,
David.

Reply to:

References:
- Sudo
  - From: "Harold Hartley" <wheelie207@ownmail.net>
- Re: Sudo
  - From: Patrick Bartek <nemommxiv@gmail.com>
- Re: Sudo
  - From: Paul Johnson <baloo@ursamundi.org>
- Re: Sudo
  - From: Patrick Bartek <nemommxiv@gmail.com>
- Re: Sudo
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: Sudo
  - From: Patrick Bartek <nemommxiv@gmail.com>
- Re: Sudo
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: Sudo
  - From: David Wright <deblis@lionunicorn.co.uk>
- Re: Sudo
  - From: Andrei POPESCU <andreimpopescu@gmail.com>

Prev by Date: Re: Ethernet trouble
Next by Date: Re: Fresh install UEFI debian-10.2.0-amd64-xfce-CD-1 will not boot
Previous by thread: Re: Sudo
Next by thread: Re: Sudo
Index(es):
- Date
- Thread