From owner-freebsd-security  Sat Mar 27 23:28:50 1999
Delivered-To: freebsd-security@freebsd.org
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
	by hub.freebsd.org (Postfix) with ESMTP id A610014C0C
	for <freebsd-security@FreeBSD.ORG>; Sat, 27 Mar 1999 23:28:39 -0800 (PST)
	(envelope-from jkb@shell6.ba.best.com)
Received: (from jkb@localhost)
	by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id XAA01660;
	Sat, 27 Mar 1999 23:27:44 -0800 (PST)
Message-ID: <19990327232743.C29901@best.com>
Date: Sat, 27 Mar 1999 23:27:43 -0800
From: "Jan B. Koum " <jkb@best.com>
To: Matthew Dillon <dillon@apollo.backplane.com>,
	James Wyatt <jwyatt@RWSystems.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Kerberos vs SSH
References: <Pine.BSF.4.05.9903250926290.23152-100000@kasie.rwsystems.net> <199903251836.KAA00989@apollo.backplane.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199903251836.KAA00989@apollo.backplane.com>; from Matthew Dillon on Thu, Mar 25, 1999 at 10:36:55AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Mar 25, 1999 at 10:36:55AM -0800, Matthew Dillon <dillon@apollo.backplane.com> wrote:
> 
> :
> :On Thu, 25 Mar 1999, Matthew Dillon wrote:
> :	[ ... ]
> :>     are still vulnerable.  You can get into the account just fine without 
> :>     exposing a password, but once in the account if you need to type a
> :>     password of any sort in to do something else, *that* password is
> :>     vulnerable to interception.
> :
> :especially sudo and su... - Jy@
> 
>     We used sudo for a little while 3 years ago, but I decided that it was
>     too big a security risk and wiped it.  sudo is one of the stupidest
>     programs I've ever seen.
>     
> 					-Matt
> 					Matthew Dillon 
> 					<dillon@backplane.com>
> 

	I have to agree with Matt 200% on the sudo. While the software itself
	might be well done -- the idea of 'partial root' is not.

	At a large FreeBSD shop where I work I see sudo been abused by people
	who are not qualified to even have a Unix shell. To many sudo != root,
	where it is just that, root.

	If you trust someone with root -- let them su(1). Else don't even give
	them partial root access.

-- Yan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message