From owner-freebsd-questions@FreeBSD.ORG Thu Mar 3 23:56:36 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0CF716A4CE for ; Thu, 3 Mar 2005 23:56:36 +0000 (GMT) Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85D0443D2F for ; Thu, 3 Mar 2005 23:56:36 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from utd49554 (utd49554.utdallas.edu [129.110.3.85]) by smtp1.utdallas.edu (Postfix) with ESMTP id 33562388DC9; Thu, 3 Mar 2005 17:56:36 -0600 (CST) Date: Thu, 03 Mar 2005 17:56:35 -0600 From: Paul Schmehl To: Pietro Cerutti Message-ID: <5147B1385074A473CA31D750@utd49554.utdallas.edu> In-Reply-To: References: <2F1BC4E1DAFE0EE0733135BA@utd49554.utdallas.edu> X-Mailer: Mulberry/3.1.6 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline cc: FreeBSD Subject: Re: sudo & su X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 23:56:36 -0000 --On Thursday, March 03, 2005 10:47:09 PM +0000 Pietro Cerutti wrote: > > There isn't any NOPASSWD, but if I give the password the first time, > sudo doesn't ask for it anymore in the next 5 min or so... > Answered by another poster - look at the timeout section of the man page. > > I think I really misunderstood the purpose of sudo. I thought that it > was used to automatically login as root, give a command, and log back > out to user who invoked the command. > So what's the purpose of asking for the password of the actually logged > in user? > With sudo you get *logging* of every command the person using sudo runs. You don't get that if they use su (except for root's .history file.) The purpose of sudo is to allow "normal" users to issue *certain* commands with root privileges *and* to track what they do for accountability purposes. (Who deleted /usr? (*&)(&@#(&@!!!) The timeout is to facilitate the use of the command without having to constantly type your password. Imagine having to type your password every time you issue a command. It would get irritating real quick. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu