[GRLUG] Sudo
Tim Schmidt
timschmidt at gmail.com
Thu May 4 19:03:04 EDT 2006
On 5/4/06, David Pembrook <david at pembrook.net> wrote:
> That would be useful and I'm all ears. I learned sudo the hard way reading
> docs on it.
>
> As far as mom installing software, most mom's don't want to and you'll be
> ssh'ing in and doing it yourself.
>
> what I firestorm I started complaining about ubuntu lol. I only hope we
> learn sudo better out of all this.. My point in the first place was about
> preference anyhow... I didn't like how something was handled.. I still stand
> by my feelings there but I'm always game to learn something new.
Just remember Dave, preference _can_ be bad if it means doing
something in a less secure way.
Now, the security differences between two well configured systems, one
with sudo, one with a root account, _can_ be minimal. And of course,
a poorly configured sudo system can be less secure than a well
configured sudo-less system.
And that's the key... configuration. sudo gives administrators a few
more options than su - especially for systems with multiple
administrators, or multiple levels of admins. And sudo can be
configured to be _slightly_ more secure for a regular one-user
workstation setup. So it's a little more flexible. Unfortunately,
that comes with a learning curve (and as we've seen, some
misconceptions).
The out-of-the-box Ubuntu policy is to give the user setup during the
install sudo rights to ALL, and deny rights to absolutely every other
user added to the system.
As we've discussed in the previous thread, I feel that's a reasonable
setup... but I'm very open to discussion about improving it.
Should there be a more featureful (and thus, more complex) user setup
during the install?
OK... that's the only sane question about Ubuntu's policy I can come
up with currently... you try.
Now, for systems with multiple users... that's where it gets interesting.
Does anyone do anything fun with logging and sudo? (e.g. Logged root shells?)
How about granting new admins slightly fewer permissions than seasoned ones?
Any tricks for keeping those pesky users with sudo rights out of root shells?
--tim
More information about the grlug
mailing list