At 15:15 7/21/2005, Stephen Major wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
http://www.freshports.org/security/sudo/
there it is in the ports tree do your research before saying that my claim
is baseless
The claim that you'd have to do any configuring at all is "baseless."
And stop before you come back with saying you have to configure it.
Because that is exactly my point I do not have to configure anything to use
su.
And no you could not make sudo "out of the box" ready, for everyone's
application. Otherwise the default configs would already be that way when
you installed it from ports.
Try logic here rather than just spouting the first thing that comes to mind.
It can be duplicated. Exactly.
The port contains the following line in the default sudoers(5) file:
# %wheel ALL = (ALL) ALL
All you need to do is uncomment that and viola, you have default su
behavior -- anyone in the wheel group allowed to sudo as any other user.
The only difference is it asks for their password instead of the root
password, which is how sudo works, the entire point some (including myself)
might say.
I only want 2 users on my system to be in the wheel group and su to full
root.
But the next guy might want sudo and be able to give limited access to to
several "sub-admins"
Perhaps, but guess what? sudo gives that opportunity, su does not.
Coupled with the fact that sudo can be configured (and should be by
default, if in the base system) to allow wheel to function as it does for
su, and I say again: your concerns in this regard are entirely baseless.
- From my perspective su is more secure than sudo in the fact that an idiot
admin cannot screw it up. Unless they set some dumb root password for
example: 1234admin
There is no security against idiocy. If you make combine "idiot" and
"admin" in your environment, and make an "idiot admin" shame on you, not
shame on sudo.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
