On Mon, Dec 9, 2013 at 9:56 AM, Gian Uberto Lauri <sa...@eng.it> wrote: > Andrei POPESCU writes: >> On Lu, 09 dec 13, 09:09:11, Gian Uberto Lauri wrote:
>>> What are the benefits of The "Macintosh/Ubuntu" use of sudo? Improved >>> security? Are you kidding? Whatever the user I compromise I have root >>> access, just type "sudo bash". >> >> sudo doesn't make this worse, just slightly easier. Compromising any >> user account used for getting root is equivalent to getting root on the >> system. > > sudo makes it a bit worse. Any user account opens the door to the root > account. Therefore you have to guard a larger perimeter. You're assuming that everyone has "ALL" as the executable that can be run via sudo and that sudo is only used to act as root. >> 2. it's still better than having to require a password every time the >> user runs 'sudo <command>', because the net effect would be that most >> would disable the password completely or just leave a 'sudo -i' session >> active for ever (and not lock their screen, etc.) > > Teach them to use a root session that must be handled with exteme > care. > > I have to do X commands as root? I su root, do the X command and close > the session. > > With the off-the-shelf configuration, the simplest thing to do is sudo > bash. You're assuming that everyone has "ALL" as the executable that can be run via sudo. By default on a Debian system, only the members of the "sudo" group have unrestricted access to root via sudo. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=sxh5hc6svhnp6rscxytrriuve9zwosupxz7jgvojvu...@mail.gmail.com
