From owner-freebsd-questions@FreeBSD.ORG Thu Dec 16 22:39:39 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02FD016A4CE for ; Thu, 16 Dec 2004 22:39:39 +0000 (GMT) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 772EF43D4C for ; Thu, 16 Dec 2004 22:39:38 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from [69.27.131.0] ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 16 Dec 2004 16:41:03 -0600 Message-ID: <41C20EBF.9080100@daleco.biz> Date: Thu, 16 Dec 2004 16:39:59 -0600 From: "Kevin D. Kinsey, DaleCo, S.P." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.3) Gecko/20041210 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Paul Schmehl References: <005a01c4e31c$efc4d460$0200a8c0@PANASONIULSWMR> <41C16D47.7030302@infracaninophile.co.uk> <0A2B2390CE654BA6B5F8E621@utd49554.utdallas.edu> In-Reply-To: <0A2B2390CE654BA6B5F8E621@utd49554.utdallas.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 16 Dec 2004 22:41:04.0500 (UTC) FILETIME=[535C4B40:01C4E3C0] cc: freebsd-questions@freebsd.org Subject: Re: Why reccomend Bash shell? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2004 22:39:39 -0000 Paul Schmehl wrote: > --On Thursday, December 16, 2004 11:11:03 AM +0000 Matthew Seaman > wrote: > >> >> On the other hand, I take the view that the less done by the super user >> the better, and discourage myself to use sudo(1) preferentially and to >> keep su(1) sessions as short as possible by making root's shell as >> /unfriendly/ as possible. >> > Is this a religious argument? Or is there a sound security basis for it? > > I ask because I'm not sure I see the difference. I prefer to leave sudo > set up to prompt for a password. This at least reminds you that what > you're doing is "root's" work (and if you screw up, you could do "bad" > things.) If I'm going to do a lot of work, I just su - to root, do > the work > and then get out. I don't allow remote root access, so I'm wondering - > am I exposing my systems to some unnecessary risk? Or is this just > a matter of personal preference? The primary reason, IMHO, for such an opinion is just what you mention --- the danger that, as root, you'll fsck some command line (the infamous "rm -rf /*") and cook your goose in its own grease.... [Come to think of it, I got myself in a little trouble once by quitting the editor on /etc/fstab a little too quickly (before double checking what I'd typed --- can't say it'd been any different using sudo, though)]. In your case, I'd venture the opinion that if you're not using NOPASSWD with sudo, you've pretty much got this concern taken care of, as much as can be expected. I also think maybe he meant to use "encourage" instead of "discourage", but you'd really have to ask him .... Kevin Kinsey