Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 21 Jan 2009 06:53:49 -1000
From:      Clifton Royston <cliftonr@lava.net>
To:        Tim Judd <tajudd@gmail.com>
Cc:        questions@freebsd.org
Subject:   Re: Edit user groups
Message-ID:  <20090121165348.GA13963@lava.net>
In-Reply-To: <4976A344.3090106@gmail.com>
References:  <49762F6C.8040404@comcast.net> <20090120222942.GB26526@lava.net> <4976A344.3090106@gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tue, Jan 20, 2009 at 09:23:32PM -0700, Tim Judd wrote:
> Clifton Royston wrote:
> >Good advice given so far (pw is a good tool, direct editing works) but
> >I'd also suggest you consider installing and using sudo; I always
> >install it on all of my systems and use it probably 10-20 times as
> >often as su.
> >  
...
> I think sudo is a false sense of security.  If a user trusts another, 
> and give sudo access, why not give the whole OS to them?
 
  Among other reasons, because it allows you to partition privileges
and give access for specific users (or groups of users) to specific
accounts only, or to execute only a specific set of commands as root or
another user.  When I was running a department of technical support
staff and another group of junior administrators, this ability to limit
and partition powers was a life-saver.

  I think you mistrust sudo because you do not yet understand it as
well as su (also essential, but a more blunt instrument.)

> Sudo's out there -- don't get me wrong, but you won't catch me dead with 
> a box with sudo installed.  I think it's a very misleading tool.  And 
> not to say they do -- but what if the devs put in a keygen...do you 
> monitor the sudo source code?

  Rarely, but it's freely available, and thousands if not tens of
thousands of other programmers and admins have access to it, and do
check it enough to find the occasional bug.  Same as the source to su,
or to the OS as a whole; has it never occurred to you there are trust
issues there as well?
 
> And if I remember correctly -- the way sudo gets it's work done is a 
> SUID bit to root. 

  Dude, how do you think su works?

  -- Clifton

-- 
    Clifton Royston  --  cliftonr@iandicomputing.com / cliftonr@lava.net
       President  - I and I Computing * http://www.iandicomputing.com/
 Custom programming, network design, systems and network consulting services



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20090121165348.GA13963>