Date: Wed, 21 Jan 2009 10:51:45 -0800 From: pete wright <nomadlogic@gmail.com> To: Tim Judd <tajudd@gmail.com> Cc: questions@freebsd.org, Akenner <SlackWareWolf@comcast.net>, Clifton Royston <cliftonr@lava.net> Subject: Re: Edit user groups Message-ID: <57d710000901211051u12ad4ca6ifc5b96046953c4dd@mail.gmail.com> In-Reply-To: <4976A344.3090106@gmail.com> References: <49762F6C.8040404@comcast.net> <20090120222942.GB26526@lava.net> <4976A344.3090106@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
<sorry OT> >> >> > > and I recommend against sudo because it's very design is a man-in-the-middle > type of scenario, and one typo by the sudo devs can possibly make a mess out > of things. > > I think sudo makes a lazy admin -- too easy to just run in and hit > something. > > I think sudo is a false sense of security. If a user trusts another, and > give sudo access, why not give the whole OS to them? > > Sudo's out there -- don't get me wrong, but you won't catch me dead with a > box with sudo installed. I think it's a very misleading tool. And not to > say they do -- but what if the devs put in a keygen...do you monitor the > sudo source code? > > And if I remember correctly -- the way sudo gets it's work done is a SUID > bit to root. Those are the devil's eggs that hatch and just cause havoc. A > rogue CGI calling sudo to do something on the website, buffer overflow (with > php!) and you've gotten rooted. > > No, no -- I hate sudo for it's own doing. It's going to eat itself alive. > > </rant> No flames please. not a flame, but a point of order - you can grant sudo privs to a user that does not automatically give them full root/wheel privs. i recon this is something that most admins have had to come across when working in a multiuser environment. what sudo also does provides you is: 1) an audit trail of who did what, when with said escalated privs 2) a way to give non-wheel users access to run specific commands that may require escalted privs so i'm not really sure why one would want to throw out the baby with the bath water, it's just another layer on the onion - and much better than giving everyone root access, or requiring the one or two trusted users in wheel to executed any program that may require escalated privs (rndc reload, apachectl reload come to mind immediately). -p -- ~~o0OO0o~~ Pete Wright www.nycbug.org NYC's *BSD User Group
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57d710000901211051u12ad4ca6ifc5b96046953c4dd>