From owner-freebsd-questions@FreeBSD.ORG Wed Jan 21 18:51:46 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3541B106564A for ; Wed, 21 Jan 2009 18:51:46 +0000 (UTC) (envelope-from nomadlogic@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.179]) by mx1.freebsd.org (Postfix) with ESMTP id 09E068FC08 for ; Wed, 21 Jan 2009 18:51:45 +0000 (UTC) (envelope-from nomadlogic@gmail.com) Received: by wa-out-1112.google.com with SMTP id m34so2129766wag.27 for ; Wed, 21 Jan 2009 10:51:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=DJb7TtdN+jOTcxU3G0L6fI3dkpRsB+IDfBFWWnR1UUs=; b=k2JhE9S/IWt1qxvKTAP5JyaWUELHk+3JgW1DPYN6yl7v4+lHOr8XsLWQxy46Twp511 EOKvJEQhPqcOCLWxMkdRhHk9CPKFf4gOglE2JvukYO20ENcwjeOhJj2X+VUkN5p5Pmum phbYOh6T0Wwo62dJVuIFLWsDaJyFHuYouW4zw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=LnSM34SczHriMlVJX8mOWNdiDfsEUbfpUaFAtW6+8Kbx0ApzUXVpxovahlwEOcj3Ur iSD8Vjb+ebm22h3bSdeJjl/Fh9auAQhePIR6Wt2M4c2Gx9ut/udPonbtM503uzXbE/C/ gLdw1IcikIK3QU7y9lvDhVYOS43DAUk2uTOPU= MIME-Version: 1.0 Received: by 10.114.39.5 with SMTP id m5mr3668537wam.41.1232563905361; Wed, 21 Jan 2009 10:51:45 -0800 (PST) In-Reply-To: <4976A344.3090106@gmail.com> References: <49762F6C.8040404@comcast.net> <20090120222942.GB26526@lava.net> <4976A344.3090106@gmail.com> Date: Wed, 21 Jan 2009 10:51:45 -0800 Message-ID: <57d710000901211051u12ad4ca6ifc5b96046953c4dd@mail.gmail.com> From: pete wright To: Tim Judd Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: questions@freebsd.org, Akenner , Clifton Royston Subject: Re: Edit user groups X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2009 18:51:46 -0000 >> >> > > and I recommend against sudo because it's very design is a man-in-the-middle > type of scenario, and one typo by the sudo devs can possibly make a mess out > of things. > > I think sudo makes a lazy admin -- too easy to just run in and hit > something. > > I think sudo is a false sense of security. If a user trusts another, and > give sudo access, why not give the whole OS to them? > > Sudo's out there -- don't get me wrong, but you won't catch me dead with a > box with sudo installed. I think it's a very misleading tool. And not to > say they do -- but what if the devs put in a keygen...do you monitor the > sudo source code? > > And if I remember correctly -- the way sudo gets it's work done is a SUID > bit to root. Those are the devil's eggs that hatch and just cause havoc. A > rogue CGI calling sudo to do something on the website, buffer overflow (with > php!) and you've gotten rooted. > > No, no -- I hate sudo for it's own doing. It's going to eat itself alive. > > No flames please. not a flame, but a point of order - you can grant sudo privs to a user that does not automatically give them full root/wheel privs. i recon this is something that most admins have had to come across when working in a multiuser environment. what sudo also does provides you is: 1) an audit trail of who did what, when with said escalated privs 2) a way to give non-wheel users access to run specific commands that may require escalted privs so i'm not really sure why one would want to throw out the baby with the bath water, it's just another layer on the onion - and much better than giving everyone root access, or requiring the one or two trusted users in wheel to executed any program that may require escalated privs (rndc reload, apachectl reload come to mind immediately). -p -- ~~o0OO0o~~ Pete Wright www.nycbug.org NYC's *BSD User Group