From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 16:38:17 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 95F1F1065694 for ; Fri, 27 Aug 2010 16:38:17 +0000 (UTC) (envelope-from mh@kernel32.de) Received: from crivens.kernel32.de (crivens.asm68k.org [81.169.171.191]) by mx1.freebsd.org (Postfix) with ESMTP id 5535C8FC13 for ; Fri, 27 Aug 2010 16:38:17 +0000 (UTC) Received: from www.terrorteam.de (localhost [127.0.0.1]) by crivens.kernel32.de (Postfix) with ESMTP id E50DDB03B9; Fri, 27 Aug 2010 18:38:14 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Date: Fri, 27 Aug 2010 17:38:14 +0100 From: Marian Hettwer To: Aldis Berjoza In-Reply-To: References: <4C77A267.10102@thelostparadise.com> <5d88fc9506514cabc7390e66a1f9872f@localhost> Message-ID: <2d1a9e69fe9c17161df35fd248a40882@localhost> X-Sender: mh@kernel32.de User-Agent: RoundCube Webmail/0.1-rc2 Cc: Andy Kosela , Pieter, vadim_nuclight@mail.ru, freebsd-security@freebsd.org, de Boer , =?UTF-8?Q?Istv=C3=A1n?= Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 16:38:17 -0000 On Fri, 27 Aug 2010 19:20:57 +0300, "Aldis Berjoza" wrote: > On Fri, 27 Aug 2010 17:32:18 +0300, Marian Hettwer wrote: > >> On Fri, 27 Aug 2010 15:27:07 +0100, István wrote: >> >>> Well to be honest i don't see any case when i want to give sudo+tcpdump >>> access to any user on my box. And those who are admins/roots anyway the >> "su >>> -" just works perfectly and they can run tcpdump. >>> >> Well, that wasn't an answer to my question or the claim of Andy. >> In fact, if you need to give access to some root-only binaries to a >> normal user, sudo(8) is the way to go. >> With "su -" you would allow full root-access, even though you might >> just want to allow specific commands to an unprivileged user. >> >> so. ehm. no! >> In fact, I would suggest to disable root, so that su - doesn't work at >> all. >> >> ./Marian > > Ye, and once sudo is broken (somehow, for whatever reason) you have > lot's of fun (especially on servers) :D Well, yeah, if it's up to me, I'd like to see sudo in BASE, as OpenBSD does it :) ./Marian