On Tue, May 21, 2002 at 08:54:15PM +0200, Hans Ekbrand wrote: > On Tue, May 21, 2002 at 07:44:10PM +0100, Colin Watson wrote: > > > How so? Regularly sudo'ing, sure, since that uses the user's password > > > as a (hopefully limited) root password. > > On the contrary, since sudo'ing does not require the use of root's > frequent use of sudo will never reveal the root password. No sane > person will setup sudo to give unlimited root access, that would > defeat the whole purpose with sudo.
Never reveal the root password, sure. But I frequently see suggestions that you should use sudo instead of su without explaining that it needs to be locked down. I've worked with a competent (but insufficiently paranoid) sysadmin who thought nothing of using 'sudo bash' on a regular basis. Even among those who do know enough to lock down sudo, there are many who don't know how to do it properly and will reason that if Bob needs to be able to add users to groups, it's perfectly safe to let him 'sudo vi /etc/group' without realizing that this gives Bob easy access to a root shell. And that's without even considering the possibility of programs that can be convinced to execute arbitrary commands even though they weren't designed to... At this point, I'm sure it comes as no surprise that I tend to consider an account with sudo access to be root-equivalent. -- When we reduce our own liberties to stop terrorism, the terrorists have already won. - reverius Innocence is no protection when governments go bad. - Tom Swiss -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
