Re: Should sudo be used?
On 4/7/07, Kevin Kinsey <[EMAIL PROTECTED]> wrote: Jerry McAllister wrote: > Also, although telnet is a hole nowdays for logging in to a system with > an id and password for the very reasons you have given, it still has > a use. You can use it to easily poke at a port and check the response > to see if something is up and working. Of course, in that case you > would probably not be sending an id and password, just some common > handshaking strings that don't reveal any secrets to anyone. > This is really a different issue from what was the OP or the intent > of the wiki article, of course. Right; the intent, as I see it, is to pound through people's (potential new *BSD system admins) heads the fact that you don't use telnet for remote logins/remote shell work. Well actually, we're looking forward to telnet start-tls RFC. It will provide for tighter integration of PKI. I'll be glad to see the day when all I need for authentication is TLS certs. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
Jerry McAllister wrote: On Thu, Apr 05, 2007 at 11:28:34AM -0500, Jeremy C. Reed wrote: On Thu, 5 Apr 2007, Kevin Kinsey wrote: I thought I might also mention a potential "sudo"-shortcoming. :-D See: http://bsdwiki.reedmedia.net/wiki/Recognize_basic_recommended_access_methods.html Where I wrote about a "quoting problem" that occasionally confuses newbs like me. Finally got around to reading the wiki page. It is good. I noticed one grammatical thing of question. In the first paragraph under "Use ssh instead of Telnet or rsh/rlogin" it says "they should never be used to administrate a machine over a network," I think the word should be 'administer' instead of 'administrate' unless this is some sort of British thing. I know, picky picky, but it just stood out to me as I was reading. I'll look into that. I churned out a lot of text, so if that's all you saw, Jeremy must have had his lucky shirt on. ;-) Also, ;-) nothing would prevent you from signing up and making such a change yourself. I'm sure the book could benefit from your wisdom. Also, although telnet is a hole nowdays for logging in to a system with an id and password for the very reasons you have given, it still has a use. You can use it to easily poke at a port and check the response to see if something is up and working. Of course, in that case you would probably not be sending an id and password, just some common handshaking strings that don't reveal any secrets to anyone. This is really a different issue from what was the OP or the intent of the wiki article, of course. Right; the intent, as I see it, is to pound through people's (potential new *BSD system admins) heads the fact that you don't use telnet for remote logins/remote shell work. KDK -- Rocky's Lemma of Innovation Prevention Unless the results are known in advance, funding agencies will reject the proposal. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On Fri, Apr 06, 2007 at 12:08:04PM +0100, Alex Zbyslaw wrote: > Jerry McAllister wrote: > > >I noticed one grammatical thing of question. In the first paragraph > >under "Use ssh instead of Telnet or rsh/rlogin" it says > > > > "they should never be used to administrate a machine over a network," > > > >I think the word should be 'administer' instead of 'administrate' > >unless this is some sort of British thing. I know, picky picky, but > >it just stood out to me as I was reading. > > > > > 10 years ago you might have been correct. An old dictionary on the > shelf does not list "administrate". However both modern dictionaries I > tried listed it with the same meaning as administer in it's "oversee" sense. > > On-line, try, for example, WordNet http://wordnet.princeton.edu/ (web > interface: http://wordnet.princeton.edu/perl/webwn). I can find over a > dozen references with a google for "administrate meaning". > > I can't find any etymology for this specific (and I would agree, in some > sense wrong) form however it is clearly in common usage. > > Language evolves, not always in ways that everyone likes. Administer is > a perfectly good word, and there's no need for "administrate" to exist. > But language skills being what they are, someone looks at > "administration" and it's quite understandable how they get to a verb > "administrate". C.f compensation, for example. Geeez, the language is falling apart. I was afraid of that. Why did I ever take 8th grade English and have to learn about verb infinitives when I could have been trying to spy on girls gymn class... jerry > > --Alex > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
Jerry McAllister wrote: I noticed one grammatical thing of question. In the first paragraph under "Use ssh instead of Telnet or rsh/rlogin" it says "they should never be used to administrate a machine over a network," I think the word should be 'administer' instead of 'administrate' unless this is some sort of British thing. I know, picky picky, but it just stood out to me as I was reading. 10 years ago you might have been correct. An old dictionary on the shelf does not list "administrate". However both modern dictionaries I tried listed it with the same meaning as administer in it's "oversee" sense. On-line, try, for example, WordNet http://wordnet.princeton.edu/ (web interface: http://wordnet.princeton.edu/perl/webwn). I can find over a dozen references with a google for "administrate meaning". I can't find any etymology for this specific (and I would agree, in some sense wrong) form however it is clearly in common usage. Language evolves, not always in ways that everyone likes. Administer is a perfectly good word, and there's no need for "administrate" to exist. But language skills being what they are, someone looks at "administration" and it's quite understandable how they get to a verb "administrate". C.f compensation, for example. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On Thu, Apr 05, 2007 at 06:54:06PM -0700, Garrett Cooper wrote: > b) sudo can run commands directly instead of having to type in su, and > then run the command from the su'ed shell. >From man su: If the optional args are provided on the command line, they are passed to the login shell of the target login. Note that all command line argu- ments before the target login name are processed by su itself, everything after the target login name gets passed to the login shell. This lets you run commands without obtaining a full shell. > Unless you're trying to get root access and fall under point b., and > this is your own personal machine, there's basically no use in using > sudo. Besides, one less binary on your machine with those sorts of > privileges offers less methods of attacking your machine in order to get > elevated privileges. I like the logging ability. If I fatfinger a command line, I can easily go back and see exactly what I did(in case the output of the command doesn't make it obvious), and when. It's all personal preference, though. > -Garrett Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
Christian Walther wrote: > On 05/04/07, Schiz0 <[EMAIL PROTECTED]> wrote: > [Moved answer to the bottom -- please don't use top post] >> >> On 4/5/07, Pietro Cerutti <[EMAIL PROTECTED]> wrote: >> > >> > On 4/5/07, Schiz0 <[EMAIL PROTECTED]> wrote: >> > > I don't use sudo. I find it rather pointless. If I need to do >> something >> > as >> > > root, I use su to gain root privileges, then when I'm done, I exit >> and >> > > return to the original user. The user running su must be in the group >> > > "wheel" to be able to su to root. This is a simple yet convenient >> > security >> > > system. >> > >> > What when you have several people with different privileges wanting to >> > do stuff that normally only root can? Would you give your root >> > password to everyone, or rather install sudo and define exactly what a >> > user can do? >> > >> True, if that was the case I'd use sudo. But I'm the only user on my >> systems >> that I'd trust with root access, so there's no point with my setup. > > Well, sudo makes execution of several commands or script as another > user quite simple because there's no need to enter the root password. > For example I've three Access Points at home, but my machine can't > connect to the "nearest" one automatically. So I need to issue > "ifconfig ath0 scan" as root. Since I'm not root all the time, I > defined an alias that executes the command using sudo. It's just one > word, and I'm set. > > My girlfriend is using my old Laptop know, and I installed FreeBSD on > it, too. So she needs the command, too. Since she isn't used to the > Console I defined a new program/button in KDE she can press. > > So you see, there are reasons to use sudo even if you're the only user > on a system. But as anywhere else in the Unix world, there are several > different ways of how to perform a certain task, and the way one > chooses is up to him/her. One thing I find that hasn't really been mentioned is that: a) sudo can run programs under different user credentials that aren't possible with non-wheel users. For instance if I had a binary, and I told someone "hey, use sudo for this" and added them and the binary / command to a script, everyone with access as specified via the sudo file could run it. b) sudo can run commands directly instead of having to type in su, and then run the command from the su'ed shell. Unless you're trying to get root access and fall under point b., and this is your own personal machine, there's basically no use in using sudo. Besides, one less binary on your machine with those sorts of privileges offers less methods of attacking your machine in order to get elevated privileges. -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On Thu, Apr 05, 2007 at 10:42:27AM +0200, Victor Engmark wrote: > Hi all, > > I thought it would be a good idea to use sudo on my FreeBSD laptop, but I'm > having doubts after checking the handbook (it's not mentioned at all) and > Google (most of the articles were obscure and / or old). > > Are you using sudo? If not, why? I administer a tiny LAN. Usually, I'm the only one fooling with the servers (IMAP, file sharing for classic Mac & Windows, routing, Internet access, other lesser things). However, it's nice to go on vacation occasionally. I have a small number of accounts, each of which uses sudo to give the account the rights necessary to administer one part of the overall system. I can pass off the mail duties to someone else, and know that the worst damage they can do is limited to the mail system, and restricted by the rights granted via sudo. As long as the firewall and other security measures are in place, my biggest concern is clumsy fingers. Sudo limits the harm that can occur and backups ensure recovery. Bob Hall ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On Thu, Apr 05, 2007 at 11:28:34AM -0500, Jeremy C. Reed wrote: > On Thu, 5 Apr 2007, Kevin Kinsey wrote: > > > I thought I might also mention a potential "sudo"-shortcoming. :-D > > > > See: > > http://bsdwiki.reedmedia.net/wiki/Recognize_basic_recommended_access_methods.html > > > > Where I wrote about a "quoting problem" that occasionally confuses > > newbs like me. Finally got around to reading the wiki page. It is good. I noticed one grammatical thing of question. In the first paragraph under "Use ssh instead of Telnet or rsh/rlogin" it says "they should never be used to administrate a machine over a network," I think the word should be 'administer' instead of 'administrate' unless this is some sort of British thing. I know, picky picky, but it just stood out to me as I was reading. Also, although telnet is a hole nowdays for logging in to a system with an id and password for the very reasons you have given, it still has a use. You can use it to easily poke at a port and check the response to see if something is up and working. Of course, in that case you would probably not be sending an id and password, just some common handshaking strings that don't reveal any secrets to anyone. This is really a different issue from what was the OP or the intent of the wiki article, of course. jerry > > Hi Kevin, > > I wasn't following this thread, but I read some of it now. > > I had a quick look at your text ... I think it would be easier to just > use: > > echo 'natd_enable="YES"' | sudo tee -a /etc/rc.conf > > > Also, I don't speak for the BSD certification project, although I have > > helped flesh out content on the wiki above. It appears that I changed > > the wording from "using the possibly 3rd-party sudo" to "possibly using > > the 3rd-party sudo" thinking that the objective's wording was in error, > > when actually those statements imply different meaning. I'm copying > > Jeremy Reed on this, who is closer to the Cert project and probably > > *can* speak for them. I'd imagine I need to find some way to fix that, > > because it sure seems to read as if *they* recommend using sudo ;-) > > The objective covers sudo no matter what. Our job task survey indicated > that sudo is very important and essential for junior admins and > intermediate/advanced admins. > > The "possibly" emphasis should be on "third-party". So the "Concept" on > the wiki page is wrong, but the "More information" at the bottom is > correct. > > Thanks for sending the email. > > Jeremy C. Reed > > p.s. And thank you Kevin for your work there. I have a lot of work to do > and as you know the deadlines have past. If anyone else is interested in > helping get this finished, please email me. No matter what I will publish > the book (and then publish a new book when updated maybe 6 months or a > year later). > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On Apr 5, 2007, at 3:42 AM, Victor Engmark wrote: Are you using sudo? If not, why? I am using sudo. In /usr/local/etc/sudoers I have %wheel ALL=(ALL) ALL Even though I'm the only person logging in, I still prefer to just remember my password instead of having to remember root's. Of course I have the root password nicely stored away somewhere in a password management system, it is one less password that I actually have to use. I became a fan of sudo from my experience with Apple's OS X. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On Thu, 5 Apr 2007, Kevin Kinsey wrote: > I thought I might also mention a potential "sudo"-shortcoming. :-D > > See: > http://bsdwiki.reedmedia.net/wiki/Recognize_basic_recommended_access_methods.html > > Where I wrote about a "quoting problem" that occasionally confuses > newbs like me. Hi Kevin, I wasn't following this thread, but I read some of it now. I had a quick look at your text ... I think it would be easier to just use: echo 'natd_enable="YES"' | sudo tee -a /etc/rc.conf > Also, I don't speak for the BSD certification project, although I have > helped flesh out content on the wiki above. It appears that I changed > the wording from "using the possibly 3rd-party sudo" to "possibly using > the 3rd-party sudo" thinking that the objective's wording was in error, > when actually those statements imply different meaning. I'm copying > Jeremy Reed on this, who is closer to the Cert project and probably > *can* speak for them. I'd imagine I need to find some way to fix that, > because it sure seems to read as if *they* recommend using sudo ;-) The objective covers sudo no matter what. Our job task survey indicated that sudo is very important and essential for junior admins and intermediate/advanced admins. The "possibly" emphasis should be on "third-party". So the "Concept" on the wiki page is wrong, but the "More information" at the bottom is correct. Thanks for sending the email. Jeremy C. Reed p.s. And thank you Kevin for your work there. I have a lot of work to do and as you know the deadlines have past. If anyone else is interested in helping get this finished, please email me. No matter what I will publish the book (and then publish a new book when updated maybe 6 months or a year later). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On Thu, 05 Apr 2007 08:56:28 -0500 Kevin Kinsey <[EMAIL PROTECTED]> wrote: > Victor Engmark wrote: > > Hi all, > > > > I thought it would be a good idea to use sudo on my FreeBSD laptop, > > but I'm having doubts after checking the handbook (it's not > > mentioned at all) and Google (most of the articles were obscure > > and / or old). > > It's not mentioned in the FreeBSD Handbook because it's not part > of the FreeBSD "base system". Although neither are Gnome, mplayer or growisofs, and they are covered. > It's a handy tool for calling your own scripts, or running > unprivileged scripts that need to perform a privileged operation. I > believe Christian also mentioned shell aliases; one example from our > usage is allowing a non-privileged user to establish a PPP > connection; either a CLI alias or a GUI button aliased to "sudo ppp > -background myisp". In my GUI I don't wish to run as root; sudo is > used so I can be "me" and still have pretty buttons that run > Ethereal, format a floppy disk, etc.. I think you have to be careful about what you are allowing to be done from general purpose accounts. If you give these authority to install or upgrade software, you might just as well be using Windows XP. BTW ppp can run as any user listed in "allow users" in ppp.conf. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
RW wrote: On Thu, 05 Apr 2007 08:56:28 -0500 Kevin Kinsey <[EMAIL PROTECTED]> wrote: Victor Engmark wrote: Hi all, I thought it would be a good idea to use sudo on my FreeBSD laptop, but I'm having doubts after checking the handbook (it's not mentioned at all) and Google (most of the articles were obscure and / or old). It's not mentioned in the FreeBSD Handbook because it's not part of the FreeBSD "base system". Although neither are Gnome, mplayer or growisofs, and they are covered. Hmm, indeed. I'm guessing that someone took it upon themselves to write up these packages, and the FDP accepted their contributions, but I'm not sure. I've not time ATM to find where the flamewars start on the sudo question, though. Probably tossing some meat to doc@ I could get one started, but I'm not sure that's a good use of anyone's time, exactly. Besides, the standard issue over there is, "write it yourself" anyway. However, for my own growth I should find out when (if?) such a discussion was held and try and understand the the "sudo should be/should not be in base" issue - not that one exists necessarily on this Project, but it certainly does on Open- It's a handy tool for calling your own scripts, or running unprivileged scripts that need to perform a privileged operation. I believe Christian also mentioned shell aliases; one example from our usage is allowing a non-privileged user to establish a PPP connection; either a CLI alias or a GUI button aliased to "sudo ppp -background myisp". In my GUI I don't wish to run as root; sudo is used so I can be "me" and still have pretty buttons that run Ethereal, format a floppy disk, etc.. I think you have to be careful about what you are allowing to be done from general purpose accounts. If you give these authority to install or upgrade software, you might just as well be using Windows XP. Well, that doesn't exactly follow, logically; file permissions et al are only one piece of the *BSD puzzle and weren't the primary reason (and maybe weren't much of a consideration at all) for my choice of using FreeBSD when possible instead of Windows. Also, "general purpose" could mean many things; if it means me, I'm not the least bit worried about it. If it means someone who's similar to a typical Windows user, I'm not *that* worried about it, either, although it requires some extra precaution. In my experience, those users don't want to know how things work and aren't likely to attempt make(1). It's the people with some amount of curiosity and/or basic "Unix-fu" (like my aforementioned 13-year old) who are most dangerous when sudo is installed. And, those people are likely aware of the existence of su as well, so the only thing barring havoc where they are concerned is the lack of knowledge of the root passphrase. Which, it seems, is why finer-grained controls such as those offered by sudo (and better examples exist: MAC, ACLs, etc.) are necessary anyway. BTW ppp can run as any user listed in "allow users" in ppp.conf. Handy to know; thanks. Of course, sudo can control PPP, ifconfig, mount, squid, Apache, rc files, cp/scp/tar/cpio/dump, ... err, anything. ;-) "Tools, not policy" still stands. Kevin Kinsey -- If at first you don't succeed, destroy all evidence that you tried. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
Hi again, I thought I might also mention a potential "sudo"-shortcoming. :-D See: http://bsdwiki.reedmedia.net/wiki/Recognize_basic_recommended_access_methods.html Where I wrote about a "quoting problem" that occasionally confuses newbs like me. Also, I don't speak for the BSD certification project, although I have helped flesh out content on the wiki above. It appears that I changed the wording from "using the possibly 3rd-party sudo" to "possibly using the 3rd-party sudo" thinking that the objective's wording was in error, when actually those statements imply different meaning. I'm copying Jeremy Reed on this, who is closer to the Cert project and probably *can* speak for them. I'd imagine I need to find some way to fix that, because it sure seems to read as if *they* recommend using sudo ;-) Kevin Kinsey -- A general leading the State Department resembles a dragon commanding ducks. -- New York Times, Jan. 20, 1981 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
Victor Engmark wrote: Hi all, I thought it would be a good idea to use sudo on my FreeBSD laptop, but I'm having doubts after checking the handbook (it's not mentioned at all) and Google (most of the articles were obscure and / or old). It's not mentioned in the FreeBSD Handbook because it's not part of the FreeBSD "base system". It would open up a rather big door that the FDP doesn't wish to run through if they began writing up instructions for software that's not in the base. I don't know if any research exists to tell us how many FreeBSD machines have sudo installed, though; I'd wager more than a few. Are you using sudo? If not, why? Absolutely. --- Pietro Cerutti: Yes I am. I would say anything allowing not to use the root password is worth using. Root passwords can be "visually sniffed" by someone nearby. Good reason. Christian Walther: Well, sudo makes execution of several commands or script as another user quite simple because there's no need to enter the root password. It's a handy tool for calling your own scripts, or running unprivileged scripts that need to perform a privileged operation. I believe Christian also mentioned shell aliases; one example from our usage is allowing a non-privileged user to establish a PPP connection; either a CLI alias or a GUI button aliased to "sudo ppp -background myisp". In my GUI I don't wish to run as root; sudo is used so I can be "me" and still have pretty buttons that run Ethereal, format a floppy disk, etc.. And "alias | grep -c sudo" in my shell returns 11, although some of those aren't used frequently. Amarendra Godbole: My primary reason is proper logging in the syslog. Valid; another primary reason is keeping tabs on other people via the same mechanism. Technically, I'm the only "user" on my box, but it's the gateway and proxy server for our LAN, so I know if an employee is trying something with sudo; I'm teaching my 13-year old a little Unix-fu, and was gratified to get email from sudo last month letting me know he had attempted to "unban" an online game he's been "grounded" from by our Squid proxy. Obviously, there are differences of opinion about sudo; OpenBSD has it as part of their "base system", but enough "controversy" (if that's the right word, and it probably isn't) exists that the BSD Certification group wrote this as a learning objective: ] Be familiar with standard system administration practices used ]to minimize the risks associated with accessing a system. These include: ] ]* using ssh instead of telnet ]* denying root logins ]* (possibly) using the third-party sudo utility instead of su, and ]* minimizing the use of the wheel group. As (I think?) someone else mentioned, "tools, not policy" is a UNIX axiom. So, it's up to you to make your own policy. #include , YMMV, and all that. Kevin Kinsey -- At social gatherings, I would amuse everyone by standing uponst the coffee table and striking meself repeatedly upon the head with a brick. -- H. R. Gumby ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On 4/5/07, Victor Engmark <[EMAIL PROTECTED]> wrote: Hi all, I thought it would be a good idea to use sudo on my FreeBSD laptop, but I'm having doubts after checking the handbook (it's not mentioned at all) and Google (most of the articles were obscure and / or old). Are you using sudo? If not, why? [...] I am the only user on my system and I use sudo for all commands that require root access. My primary reason is proper logging in the syslog. All commands that I execute using sudo are logged to the syslog - this way I know have an audit trail of my actions, when I am sudo to root. In contrast, doing a su and executing commands leaves back no trail whatsoever... Here is a snippet of my syslog, when I executed whoami (just as an example) with sudo: Apr 5 15:26:07 zimbu sudo: amar : TTY=ttyp4 ; PWD=/home/amar ; USER=root ; COMMAND=/usr/bin/whoami Cheers, Amarendra ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On 4/5/07, Victor Engmark <[EMAIL PROTECTED]> wrote: Hi all, Hello, Are you using sudo? If not, why? Yes I am. I would say anything allowing not to use the root password is worth using. Just man 5 sudoers to properly setup your sudoers file.. -- Victor Engmark -- Pietro Cerutti - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On Thu, April 5, 2007 09:42, Victor Engmark wrote: > Hi all, > > I thought it would be a good idea to use sudo on my FreeBSD laptop, > but I'm > having doubts after checking the handbook (it's not mentioned at all) > and > Google (most of the articles were obscure and / or old). > > Are you using sudo? If not, why? I personally don't use sudo. From my perspective the only real advantage to using it is that it is possible to provide a fine-grained access to limited functions that would normally only be available to the root account. Thus, if you require more than one "normal" account to perform some aspect of system maintenance it is possible to do this via the sudoers file. As I'm the sole maintainer of /my/ systems I don't feel the need to utilize sudo. Instead I have a separate local account on each system added to the wheel group and use that to su to the root account to perform system maintainance. Therefore, I don't use my normal everyday account when performing system maintainance. -- kelvin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On 4/5/07, Victor Engmark <[EMAIL PROTECTED]> wrote: Well, the standard argument is that with sudo you don't have to worry about executing something as root which you intended to execute as a normal user. That's good enough for me, but are there any disadvantages except just having another package & config file? None that I know about Is sudo slow or incompatible with certain commands? None that I know about Does it have a bad security track record? http://www.courtesan.com/sudo/alerts/ Is it still maintained, and will it be maintained in the foreseeable future? Yes, it's still maintained, but as you can see from the CVS logs, not actively developed. I can't tell you if it's because sudo's pretty "done", or because simply nobody's improving it. Does it conflict with other packages? Etc.. $ grep CONFLICTS /usr/ports/security/sudo/Makefile Exit 1 Apparently not.. Thanks for your answers! It seems this is not quite as resolved for FreeBSD as for Ubuntu et al.. Hope this helps.. -- Victor "non desperandum" Engmark Quidquid latine dictum sit, altum videtur - What is said in Latin, sounds profound -- Pietro Cerutti - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On 4/5/07, Schiz0 <[EMAIL PROTECTED]> wrote: I don't use sudo. I find it rather pointless. If I need to do something as root, I use su to gain root privileges, then when I'm done, I exit and return to the original user. The user running su must be in the group "wheel" to be able to su to root. This is a simple yet convenient security system. What when you have several people with different privileges wanting to do stuff that normally only root can? Would you give your root password to everyone, or rather install sudo and define exactly what a user can do? -- Pietro Cerutti - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
I don't use sudo. I find it rather pointless. If I need to do something as root, I use su to gain root privileges, then when I'm done, I exit and return to the original user. The user running su must be in the group "wheel" to be able to su to root. This is a simple yet convenient security system. su is standard, sudo is another binary to install. So I don't bother installing it. On 4/5/07, Victor Engmark <[EMAIL PROTECTED]> wrote: Hi all, I thought it would be a good idea to use sudo on my FreeBSD laptop, but I'm having doubts after checking the handbook (it's not mentioned at all) and Google (most of the articles were obscure and / or old). Are you using sudo? If not, why? -- Victor Engmark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to " [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On 05/04/07, Schiz0 <[EMAIL PROTECTED]> wrote: [Moved answer to the bottom -- please don't use top post] On 4/5/07, Pietro Cerutti <[EMAIL PROTECTED]> wrote: > > On 4/5/07, Schiz0 <[EMAIL PROTECTED]> wrote: > > I don't use sudo. I find it rather pointless. If I need to do something > as > > root, I use su to gain root privileges, then when I'm done, I exit and > > return to the original user. The user running su must be in the group > > "wheel" to be able to su to root. This is a simple yet convenient > security > > system. > > What when you have several people with different privileges wanting to > do stuff that normally only root can? Would you give your root > password to everyone, or rather install sudo and define exactly what a > user can do? > True, if that was the case I'd use sudo. But I'm the only user on my systems that I'd trust with root access, so there's no point with my setup. Well, sudo makes execution of several commands or script as another user quite simple because there's no need to enter the root password. For example I've three Access Points at home, but my machine can't connect to the "nearest" one automatically. So I need to issue "ifconfig ath0 scan" as root. Since I'm not root all the time, I defined an alias that executes the command using sudo. It's just one word, and I'm set. My girlfriend is using my old Laptop know, and I installed FreeBSD on it, too. So she needs the command, too. Since she isn't used to the Console I defined a new program/button in KDE she can press. So you see, there are reasons to use sudo even if you're the only user on a system. But as anywhere else in the Unix world, there are several different ways of how to perform a certain task, and the way one chooses is up to him/her. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
On 4/5/07, Schiz0 <[EMAIL PROTECTED]> wrote: True, if that was the case I'd use sudo. But I'm the only user on my systems that I'd trust with root access, so there's no point with my setup. [Please don't top post] Anyway, yes, I would say it depends on the situation, and it's even a matter of taste. I use sudo on my laptop, even if I'm the only user... de gustibus non disputandum est... -- Pietro Cerutti - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Should sudo be used?
True, if that was the case I'd use sudo. But I'm the only user on my systems that I'd trust with root access, so there's no point with my setup. On 4/5/07, Pietro Cerutti <[EMAIL PROTECTED]> wrote: On 4/5/07, Schiz0 <[EMAIL PROTECTED]> wrote: > I don't use sudo. I find it rather pointless. If I need to do something as > root, I use su to gain root privileges, then when I'm done, I exit and > return to the original user. The user running su must be in the group > "wheel" to be able to su to root. This is a simple yet convenient security > system. What when you have several people with different privileges wanting to do stuff that normally only root can? Would you give your root password to everyone, or rather install sudo and define exactly what a user can do? -- Pietro Cerutti - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"