From owner-freebsd-security Thu Mar 25 16:32:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 46EDA14D03 for ; Thu, 25 Mar 1999 16:32:23 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id TAA95618; Thu, 25 Mar 1999 19:32:02 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: <199903252320.SAA07455@eagle.aitken.com> References: from Garance A Drosihn at "Mar 25, 1999 05:05:18 pm" Date: Thu, 25 Mar 1999 19:32:48 -0500 To: Jeff Aitken From: Garance A Drosihn Subject: Re: sudo (was Re: Kerberos vs SSH) Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 6:20 PM -0500 3/25/99, Jeff Aitken wrote: > Out of curiosity, to what programs do you typically grant people > sudo access? Is it not true that most "useful" programs a sysadmin > might need to do his job contain some way of exec'ing another > program? For example, you can't use sudo to grant access to a text > editor of any sort without implicitly giving full root access. Anyone allowing 'sudo vi' deserves what they get, the same way that anyone pasting their root password on their monitor deserves what they get. Why do we bother with passwords at all, if there are people who do stupid things with passwords? We give sudo access to something like 'lpc', for starting or stopping printer queues. Or we have special reboot scripts (yes, scripts). We'll trust people to do reboots as they feel necessary (particularly since sudo will log the action), but not give out root access to a few dozen part-time students who work in our help desk. Similar we have programs to fix one odd problem or another (such as "restarting portmap", which is a recent problem on our AIX boxes), and those part-time students might be allowed to do that. We admin some unix machines that we do not own. We give the owner (and maybe their grad students) access to a few things they need access to, and rightfully deserve access too, without having to worry about them "fixing" some problem in a way that breaks some of our automatic procedures. And we can do this without having to keep track of hundreds of different passwords for root (on different unix machines). And even when it's someone we trust, like, say, *ME*, there is an advantage to using sudo. an 'rm *' in the wrong window (such as a 'su'-ed window) aren't quite as catastrophic. Yes, a 'sudo rm *' can be bad news, but I am not likely to type sudo unless I'm really sure I need special privs for something. It also means we have a log of priv commands done, useful when something goes haywire and you think 'uh, what just happened?'. (remember, we're in an environment with multiple sysadmins, since we are dealing with a few hundred unix workstations running solaris, aix, or irix). In some environments sudo may seem pointless, but in other situations it can be quite helpful. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message