sudo and /etc/sudoers
jdow
jdow at earthlink.net
Mon Dec 29 22:45:16 UTC 2008
From: "Derek Broughton" <derek at pointerstop.ca>
Sent: Monday, 2008, December 29 14:29
> Res wrote:
>
>> On Mon, 29 Dec 2008, Matthew Flaschen wrote:
>>
>>> Karl F. Larsen wrote:
>>>> Yes and it is seldom used.
>>>
>>> How on earth do you know?
>>>
>>> With a lot of thought, if I was running a
>>>> Unix computer with many users I would disable sudo, get me a root
>>>> password, and handle the users with which groups they belong to.
>>>
>>> Except magical groups alone will not let users have limited access to
>>> root programs, which is of course the whole point.
>>
>> users should never be able to run root programs. this might be fine for
>> your lil home 1337 b0x3n, but not fine in the real world.
>
> LOL. What a ridiculous attitude from somebody who claims to be an expert.
> _Somebody_ has to run root programs, and ime it is both possible and
> advisable to have it not be somebody who is logged in as root. On one of
> my
> large server systems, I am one of the two prime administrators - neither
> one
> of us actually has the root password, which _does_ exist but only the
> daytime computer room operator has. Works fine.
I'd feel safer with that sort of configuration if the sudo program had
an option to use a second password list that had a second unique
encrypted password for each of the sudoers. Then if your password is
cracked the person still can't get at sufficient root level tools to
cause mayhem by changing any form of configuration. They'd have to crack
both your password AND your sudo-word to get in.
(But, then, I am not that paranoid for a home system. I don't have any
potentially inimical critters around to sit down at the keyboard and
mess around. Kids are all gone off to their own lives so it's just me
and my partner.)
{^_-}
More information about the ubuntu-users
mailing list