Tim wrote: > Hello > > 1. I have a old computer that is slow and has little memory. But I > want to keep it updated with patches. I can't compile these patches > on the system but I could do it on another faster system. But how can > I later apply the compiled patches to the weak system?
In addition to the previously mentioned release(8) process (also documented here: http://www.openbsd.org/faq/faq5.html#Release), there is another thing you could do: run snapshots. They will have all the security and reliability updates (before they are in -stable, in fact), but also feature updates. > 2. Alot of you seem to use sudo instead of su - when you want to do > something that requires privileges. Why is this? What settings are > you using for sudo? Took me a while to get interested in sudo, which is unfortunate. Way cool program. When I set up an OpenBSD system, one of the first things I do is create a personal user for myself, put myself in the wheel group, configure sudo to let wheel users do anything, log in as that user, and disable root logins. Completely disable. This does a few things... 1) Ensures that random PW guessing attacks at "root" will not succeed. (this isn't a huge security gain, but from completely random attackers, it gives them two things to guess, not just one. If you are going after me personally, yeah, not so hard: my most common user name is 'nick' :) 2) Ensures that for systems that have to be administered by multiple users (i.e., business users), that there is no one user who has "more" access than any other, and thus, you have full redundancy in maintainers. 3) In multiply administered systems, you don't have to share any passwords between administrators. Sharing PWs is a bad thing, m'kay? (su requires sharing of root PWs) note: while this is a nice trick for OpenBSD, be careful using it on lesser Unixes -- many need a PW for root access for single user mode (by default at least). As mentioned elsewhere, you can also restrict what people do on a system -- for example, I have set up "controlled" firewalls for schools, where a teacher could turn on and off Internet connections in their classroom. You might not want the teacher to have full access to all functionality in the firewall, but they do need root-level access to change the filter rules. So, permit the proper commands with sudo, wrap it all up in nice scripts, and it becomes very easy and very transparent. Try that with "su" :) Note that in this case, it isn't that I distrust the teacher's intent, I just don't trust their knowledge of Unix administration, and don't want them having accidents... if I didn't trust at least their intent, I don't think I'd let 'em in. :) Try it, it's addictive. :) Nick.
