From owner-freebsd-security Fri Mar 26 8:36: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from po9.andrew.cmu.edu (PO9.ANDREW.CMU.EDU [128.2.10.109]) by hub.freebsd.org (Postfix) with ESMTP id 6604A15516 for ; Fri, 26 Mar 1999 08:35:57 -0800 (PST) (envelope-from tcrimi+@andrew.cmu.edu) Received: (from postman@localhost) by po9.andrew.cmu.edu (8.8.5/8.8.2) id LAA27388; Fri, 26 Mar 1999 11:35:31 -0500 (EST) Received: via switchmail; Fri, 26 Mar 1999 11:35:31 -0500 (EST) Received: from unix7.andrew.cmu.edu via qmail ID ; Fri, 26 Mar 1999 11:34:48 -0500 (EST) Received: from unix7.andrew.cmu.edu via qmail ID ; Fri, 26 Mar 1999 11:34:47 -0500 (EST) Received: from mms.4.60.Jun.27.1996.03.02.53.sun4.51.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix7.andrew.cmu.edu.sun4m.54 via MS.5.6.unix7.andrew.cmu.edu.sun4_51; Fri, 26 Mar 1999 11:34:47 -0500 (EST) Message-ID: Date: Fri, 26 Mar 1999 11:34:47 -0500 (EST) From: Thomas Valentino Crimi To: Matthew Dillon , Narvi Subject: Re: Kerberos vs SSH Cc: James Wyatt , freebsd-security@FreeBSD.ORG In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Excerpts from FreeBSD-Security: 26-Mar-99 Re: Kerberos vs SSH by Narvi@haldjas.folklore.e > And if you are virtually giving the person having sudo capabilities full > root, why not just give them root? Or not give them root, managing the > resources differently (even if with setuid/and or setgid programs) and > avoid sudo? There most definitely is a place for sudo, but it is more of a convienence program than a security tool. Basic rule applies that if you don't trust the person with root, don't give them sudo access. If I were to say, add enough protections to a program so that it can safely run as root by any user, I'd may as well make it suid. All sudo really does it make suid executable available to a closed list of people, yes, I could do it with separate files, but sudo is convienent (and doing it the other way doesn't buy me anymore security from what I can tell, suid vi is just as dangerous as sudo vi). But, if I have a local user at a workstation who would like the ability to say, kill runaway programs, mount a disk, reboot the machine so as to flip OSes, sudo is very convienent. By letting the user in front of the machine I already must implicitly trust them not to be malicious, with minimal skill, or even with a screwdriver or hammer, they have control of the machine. sudo can help you avoid the honest mistakes. Everyone has different situations, and I could hardly advise an ISP to make extensive use of sudo, arguments about how to maintain a large number of people with the root password turn into 'you shouldn't have that many people with root', If you do want to have 5+ people with root, I think sudo is a good answer, you can even use the access control list to give people _advice_ on what they should and shouldn't run (vipw, ok, rm, ok, but it's not your job to reboot - just an example), no use thinking the list will curtail a runaway disgruntled sysadmin, but then again, what does? :) As stated many time, we all have different security situations, and in my loose group of machine, sudo makes sense, barring any buffer overruns or other exploits of sudo, it works perfectly well at letting friends who also use the machines do what they need. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message