sudo security concerns ?
Karl Hegbloom
hegbloom at pdx.edu
Fri Nov 26 15:47:32 CST 2004
On Fri, 2004-11-26 at 13:37 -0800, Lloyd D Budd wrote:
>
> > At the very least, this issue should be documented in the manuals. Warn
> > users not to do that. Explain the possibility, tell them not to do
> > that.
>
> Which manual ? I do not think anyone is working on "that" manual yet
> -- though how is it different from detailed information on sudo .
> Please do not put it in the general user's guide as it is distracting
> and extraneous for most people .
The systems administration manual, I suppose. UID 1000 needs to know,
certainly. Other users (family members? student computing lab users?)
won't be given full sudo access anyhow, most likely, so their accounts
won't be as vulnerable.
> > This situation with Sudo looks to me like a relatively easy
> > target to hit...
>
> Easy to you who has made it clear that you do not know much about sudo ?!
Perhaps true. I should research the issue further indeed, including
reading the source to 'sudo' itself. I wish I had more time... I need
to get ready for final exams... But I can put in 1 hour a day on this.
> If you want a locked down Linux choose a distro that specializes in
> that , but the current available distributions are not "accessible" to
> many people .
>
> Everything is a balancing act between many factors including security
> and usability . I am sure everyone would be excited by you designing
> solutions that balance the security and usability concerns as well as
> considering the huge number of other factors .
The main thing is that we don't want 'outbreak express' and the whole
anti-virus FUD racket preying on the users of the Linux platform. We
want to be virus proof and spy-ware proof from the get-go. We want our
platform to be part of the solution, not part of the problem.
Improved security IS improved usability.
--
Karl Hegbloom
(o_ mailto:hegbloom at pdx.edu
//\ jabber:karlheg at jabber.org
V_/_ yahoo:karlheg
More information about the ubuntu-devel
mailing list