Date: Thu, 05 Apr 2007 08:56:28 -0500 From: Kevin Kinsey <kdk@daleco.biz> To: Victor Engmark <victor.engmark@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Should sudo be used? Message-ID: <4615000C.2070407@daleco.biz> In-Reply-To: <7d4f41f50704050142v9c73a17tb1812f218ea4416@mail.gmail.com> References: <7d4f41f50704050142v9c73a17tb1812f218ea4416@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Victor Engmark wrote: > Hi all, > > I thought it would be a good idea to use sudo on my FreeBSD laptop, but I'm > having doubts after checking the handbook (it's not mentioned at all) and > Google (most of the articles were obscure and / or old). It's not mentioned in the FreeBSD Handbook because it's not part of the FreeBSD "base system". It would open up a rather big door that the FDP doesn't wish to run through if they began writing up instructions for software that's not in the base. I don't know if any research exists to tell us how many FreeBSD machines have sudo installed, though; I'd wager more than a few. > Are you using sudo? If not, why? Absolutely. --- Pietro Cerutti: > Yes I am. I would say anything allowing not to use the root password > is worth using. Root passwords can be "visually sniffed" by someone nearby. Good reason. Christian Walther: > Well, sudo makes execution of several commands or script as another > user quite simple because there's no need to enter the root password. It's a handy tool for calling your own scripts, or running unprivileged scripts that need to perform a privileged operation. I believe Christian also mentioned shell aliases; one example from our usage is allowing a non-privileged user to establish a PPP connection; either a CLI alias or a GUI button aliased to "sudo ppp -background myisp". In my GUI I don't wish to run as root; sudo is used so I can be "me" and still have pretty buttons that run Ethereal, format a floppy disk, etc.. And "alias | grep -c sudo" in my shell returns 11, although some of those aren't used frequently. Amarendra Godbole: > My primary reason is proper logging in the syslog. Valid; another primary reason is keeping tabs on other people via the same mechanism. Technically, I'm the only "user" on my box, but it's the gateway and proxy server for our LAN, so I know if an employee is trying something with sudo; I'm teaching my 13-year old a little Unix-fu, and was gratified to get email from sudo last month letting me know he had attempted to "unban" an online game he's been "grounded" from by our Squid proxy. Obviously, there are differences of opinion about sudo; OpenBSD has it as part of their "base system", but enough "controversy" (if that's the right word, and it probably isn't) exists that the BSD Certification group wrote this as a learning objective: ] Be familiar with standard system administration practices used ] to minimize the risks associated with accessing a system. These include: ] ] * using ssh instead of telnet ] * denying root logins ] * (possibly) using the third-party sudo utility instead of su, and ] * minimizing the use of the wheel group. As (I think?) someone else mentioned, "tools, not policy" is a UNIX axiom. So, it's up to you to make your own policy. #include <disclaimer.h>, YMMV, and all that. Kevin Kinsey -- At social gatherings, I would amuse everyone by standing uponst the coffee table and striking meself repeatedly upon the head with a brick. -- H. R. Gumby
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4615000C.2070407>