Andrei POPESCU writes: > On Lu, 09 dec 13, 09:09:11, Gian Uberto Lauri wrote: > > > > What are the benefits of The "Macintosh/Ubuntu" use of sudo? Improved > > security? Are you kidding? Whatever the user I compromise I have root > > access, just type "sudo bash". > > sudo doesn't make this worse, just slightly easier. Compromising any > user account used for getting root is equivalent to getting root on the > system.
sudo makes it a bit worse. Any user account opens the door to the root account. Therefore you have to guard a larger perimeter. > > Furthermore the sudo habit of keeping valid an authentication for a > > certain amount of time seems like an open door for malicious code > > injection. > > 1. this can be turned off It should by default, or the configuration should be more flexible and interactive. Even rewriting the configuration-file-handling-code in sudo could be a good idea :>. > 2. it's still better than having to require a password every time the > user runs 'sudo <command>', because the net effect would be that most > would disable the password completely or just leave a 'sudo -i' session > active for ever (and not lock their screen, etc.) Teach them to use a root session that must be handled with exteme care. I have to do X commands as root? I su root, do the X command and close the session. With the off-the-shelf configuration, the simplest thing to do is sudo bash. (BTW, I work with a root-dedicated terminal with proper "scary" icon and color theme to remind me that it's a "dangerous" environment). > > And if this not enough, sudo may become disruptive on machines with > > several users, unless all of them have the required skills (included > > the one of stopping and asking advice!) and common administration > > policies are accepted by all. > > Sorry, but I don't think it's fair to blame 'sudo' for the fact that the > system administrator granted sudo privileges to the wrong users. You > can't solve social problems by technical means. I blame the default configuration sudo is shiwpped with. Andrei, I never walked in your shoes so I can't do assumption on your experiences. Mine talk about a group with a sysadmin where having "all this freedom" to sudo lead to a waste and misallocation of resources that took some *months* to fix. Yes, policies should have prevented this, but this use of sudo leads users to feel less "the danger" that lies beneath using administrative privileges in a system. It's a psychological barrier that you should not underestimate. -- /\ ___ Ubuntu: ancient /___/\_|_|\_|__|___Gian Uberto Lauri_____ African word //--\| | \| | Integralista GNUslamico meaning "I can \/ coltivatore diretto di software not install giĆ sistemista a tempo (altrui) perso... Debian" Warning: gnome-config-daemon considered more dangerous than GOTO -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/21157.37830.879558.114...@mail.eng.it