Date: Thu, 16 Dec 2004 16:39:59 -0600 From: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz> To: Paul Schmehl <pauls@utdallas.edu> Cc: freebsd-questions@freebsd.org Subject: Re: Why reccomend Bash shell? Message-ID: <41C20EBF.9080100@daleco.biz> In-Reply-To: <0A2B2390CE654BA6B5F8E621@utd49554.utdallas.edu> References: <005a01c4e31c$efc4d460$0200a8c0@PANASONIULSWMR> <41C16D47.7030302@infracaninophile.co.uk> <0A2B2390CE654BA6B5F8E621@utd49554.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul Schmehl wrote: > --On Thursday, December 16, 2004 11:11:03 AM +0000 Matthew Seaman > <m.seaman@infracaninophile.co.uk> wrote: > >> >> On the other hand, I take the view that the less done by the super user >> the better, and discourage myself to use sudo(1) preferentially and to >> keep su(1) sessions as short as possible by making root's shell as >> /unfriendly/ as possible. >> > Is this a religious argument? Or is there a sound security basis for it? > > I ask because I'm not sure I see the difference. I prefer to leave sudo > set up to prompt for a password. This at least reminds you that what > you're doing is "root's" work (and if you screw up, you could do "bad" > things.) If I'm going to do a lot of work, I just su - to root, do > the work > and then get out. I don't allow remote root access, so I'm wondering - > am I exposing my systems to some unnecessary risk? Or is this just > a matter of personal preference? The primary reason, IMHO, for such an opinion is just what you mention --- the danger that, as root, you'll fsck some command line (the infamous "rm -rf /*") and cook your goose in its own grease.... [Come to think of it, I got myself in a little trouble once by quitting the editor on /etc/fstab a little too quickly (before double checking what I'd typed --- can't say it'd been any different using sudo, though)]. In your case, I'd venture the opinion that if you're not using NOPASSWD with sudo, you've pretty much got this concern taken care of, as much as can be expected. I also think maybe he meant to use "encourage" instead of "discourage", but you'd really have to ask him .... Kevin Kinsey
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41C20EBF.9080100>