On Tue, Dec 10, 2013 at 7:59 AM, Gian Uberto Lauri <sa...@eng.it> wrote: > Tom H writes: >> On Mon, Dec 9, 2013 at 8:09 AM, Gian Uberto Lauri <sa...@eng.it> wrote:
>>> If some users needed to have the root power for a small set of >>> operation, then sudo would give them that extact power, no more no >>> less. >>> >>> What are the benefits of The "Macintosh/Ubuntu" use of sudo? Improved >>> security? Are you kidding? Whatever the user I compromise I have root >>> access, just type "sudo bash". >> >> You seem to assume that everyone has "ALL" as the executable that can >> be run via sudo. > > That wrong assumption has already been pointed out. > > But whit this configuration you have 2 critical accounts instead of > one. > > Everybody is aware that root is a critical account, how many do > realize that the first (often the only) user account in such systems > is as critical as the root one? In the corporate environments where I work, we are about 70 sysadmins in my location and about half as much in another. We all sudo to root on our more or less 11,000 systems. So by your reckoning we have 100 critical accounts but that's not how our internal and external security auditors see it. Most of the people who have no idea that they have a critical are like my parents, who have Unity installed on their laptops. When they're prompted to update their systems, they do so and type in their passwords when asked to, just like a Windows or OS X user. Not everyone messes around with his/her configuration, uses terminals, or whatever. >>> Furthermore the sudo habit of keeping valid an authentication for a >>> certain amount of time seems like an open door for malicious code >>> injection. >> >> You can use the "timestamp_timeout" option to set this to zero. > > This should be the default, but is not. I agree. But I suspect that, as someone else has pointed out, it would annoy many people to have to type their password for every sudo-prepended command. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=Swr=r=e9cmxy_gbkyzpoxkfjkyg8ykmxwt+phyhnyp...@mail.gmail.com
