Date: Sat, 27 Mar 1999 23:27:43 -0800 From: "Jan B. Koum " <jkb@best.com> To: Matthew Dillon <dillon@apollo.backplane.com>, James Wyatt <jwyatt@RWSystems.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH Message-ID: <19990327232743.C29901@best.com> In-Reply-To: <199903251836.KAA00989@apollo.backplane.com>; from Matthew Dillon on Thu, Mar 25, 1999 at 10:36:55AM -0800 References: <Pine.BSF.4.05.9903250926290.23152-100000@kasie.rwsystems.net> <199903251836.KAA00989@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 25, 1999 at 10:36:55AM -0800, Matthew Dillon <dillon@apollo.backplane.com> wrote: > > : > :On Thu, 25 Mar 1999, Matthew Dillon wrote: > : [ ... ] > :> are still vulnerable. You can get into the account just fine without > :> exposing a password, but once in the account if you need to type a > :> password of any sort in to do something else, *that* password is > :> vulnerable to interception. > : > :especially sudo and su... - Jy@ > > We used sudo for a little while 3 years ago, but I decided that it was > too big a security risk and wiped it. sudo is one of the stupidest > programs I've ever seen. > > -Matt > Matthew Dillon > <dillon@backplane.com> > I have to agree with Matt 200% on the sudo. While the software itself might be well done -- the idea of 'partial root' is not. At a large FreeBSD shop where I work I see sudo been abused by people who are not qualified to even have a Unix shell. To many sudo != root, where it is just that, root. If you trust someone with root -- let them su(1). Else don't even give them partial root access. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990327232743.C29901>