Date: Thu, 05 Apr 2007 10:41:39 -0500 From: Kevin Kinsey <kdk@daleco.biz> To: RW <fbsd06@mlists.homeunix.com> Cc: freebsd-questions@freebsd.org Subject: Re: Should sudo be used? Message-ID: <461518B3.7060605@daleco.biz> In-Reply-To: <20070405155128.6c6c3a6d@gumby.homeunix.com> References: <7d4f41f50704050142v9c73a17tb1812f218ea4416@mail.gmail.com> <4615000C.2070407@daleco.biz> <20070405155128.6c6c3a6d@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
RW wrote: > On Thu, 05 Apr 2007 08:56:28 -0500 > Kevin Kinsey <kdk@daleco.biz> wrote: > >> Victor Engmark wrote: >>> Hi all, >>> >>> I thought it would be a good idea to use sudo on my FreeBSD laptop, >>> but I'm having doubts after checking the handbook (it's not >>> mentioned at all) and Google (most of the articles were obscure >>> and / or old). >> It's not mentioned in the FreeBSD Handbook because it's not part >> of the FreeBSD "base system". > > Although neither are Gnome, mplayer or growisofs, and they are covered. > Hmm, indeed. I'm guessing that someone took it upon themselves to write up these packages, and the FDP accepted their contributions, but I'm not sure. I've not time ATM to find where the flamewars start on the sudo question, though. Probably tossing some meat to doc@ I could get one started, but I'm not sure that's a good use of anyone's time, exactly. Besides, the standard issue over there is, "write it yourself" anyway. However, for my own growth I should find out when (if?) such a discussion was held and try and understand the the "sudo should be/should not be in base" issue - not that one exists necessarily on this Project, but it certainly does on Open- >> It's a handy tool for calling your own scripts, or running >> unprivileged scripts that need to perform a privileged operation. I >> believe Christian also mentioned shell aliases; one example from our >> usage is allowing a non-privileged user to establish a PPP >> connection; either a CLI alias or a GUI button aliased to "sudo ppp >> -background myisp". In my GUI I don't wish to run as root; sudo is >> used so I can be "me" and still have pretty buttons that run >> Ethereal, format a floppy disk, etc.. > > I think you have to be careful about what you are allowing to be done > from general purpose accounts. If you give these authority to install > or upgrade software, you might just as well be using Windows XP. > Well, that doesn't exactly follow, logically; file permissions et al are only one piece of the *BSD puzzle and weren't the primary reason (and maybe weren't much of a consideration at all) for my choice of using FreeBSD when possible instead of Windows. Also, "general purpose" could mean many things; if it means me, I'm not the least bit worried about it. If it means someone who's similar to a typical Windows user, I'm not *that* worried about it, either, although it requires some extra precaution. In my experience, those users don't want to know how things work and aren't likely to attempt make(1). It's the people with some amount of curiosity and/or basic "Unix-fu" (like my aforementioned 13-year old) who are most dangerous when sudo is installed. And, those people are likely aware of the existence of su as well, so the only thing barring havoc where they are concerned is the lack of knowledge of the root passphrase. Which, it seems, is why finer-grained controls such as those offered by sudo (and better examples exist: MAC, ACLs, etc.) are necessary anyway. > BTW ppp can run as any user listed in "allow users" in ppp.conf. Handy to know; thanks. Of course, sudo can control PPP, ifconfig, mount, squid, Apache, rc files, cp/scp/tar/cpio/dump, ... err, anything. ;-) "Tools, not policy" still stands. Kevin Kinsey -- If at first you don't succeed, destroy all evidence that you tried.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?461518B3.7060605>