Date: Fri, 26 Mar 1999 13:03:27 +0200 (EET) From: Narvi <narvi@haldjas.folklore.ee> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: James Wyatt <jwyatt@RWSystems.net>, freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH Message-ID: <Pine.BSF.3.96.990326125814.5291B-100000@haldjas.folklore.ee> In-Reply-To: <199903251836.KAA00989@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 25 Mar 1999, Matthew Dillon wrote: > > : > :On Thu, 25 Mar 1999, Matthew Dillon wrote: > : [ ... ] > :> are still vulnerable. You can get into the account just fine without > :> exposing a password, but once in the account if you need to type a > :> password of any sort in to do something else, *that* password is > :> vulnerable to interception. > : > :especially sudo and su... - Jy@ > > We used sudo for a little while 3 years ago, but I decided that it was > too big a security risk and wiped it. sudo is one of the stupidest > programs I've ever seen. > > -Matt > Matthew Dillon > <dillon@backplane.com> The other problem of using sudo is that some of the protection it seems to offer is just that, seeming. Just too many things allow the user to exec a shell or other uncontrollable things. And if you are virtually giving the person having sudo capabilities full root, why not just give them root? Or not give them root, managing the resources differently (even if with setuid/and or setgid programs) and avoid sudo? Sander To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990326125814.5291B-100000>