From owner-freebsd-security@FreeBSD.ORG Sat Aug 28 00:41:12 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5CC4D1065670 for ; Sat, 28 Aug 2010 00:41:12 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 1BD4F8FC14 for ; Sat, 28 Aug 2010 00:41:11 +0000 (UTC) Received: by iwn36 with SMTP id 36so3502934iwn.13 for ; Fri, 27 Aug 2010 17:41:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=MBYdYJ2VLRUG1s0hqLHvZ0KtFJvxUya2eoz9PbwTrRw=; b=WcMpqdq1v6Q1goMPLCTn4QKTbKQ+3tMuGK/WJ55M+kPJkvzdT9IrzTzzp8hUd1GgK9 ERcZv6Kml/2Jr8sKjKXE67GQZalk/1lZqo7fC72nP91oPch6oYQF6r8HFbM8Mc8+st85 iVuwNdiFx7KetuVWU/D1fruzDPMgtbCUZkQwA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Z04yqdIWHtv3JTGfI/Ej1RyPkVkyfhhAlirEOVw+/3to+T8zAQNovvAkHk9uicrO8c O2mz2KIFDU9v91qZbL7x2NosE7E3MfF0u0wX35AGPzgx8jEYXd4KxiVVTRv7ifuWUS37 iurA64b1mTZp8A4Ahrt+6r6naUZV5BGa7+YZk= MIME-Version: 1.0 Received: by 10.231.30.68 with SMTP id t4mr1911447ibc.129.1282956070978; Fri, 27 Aug 2010 17:41:10 -0700 (PDT) Received: by 10.231.36.74 with HTTP; Fri, 27 Aug 2010 17:41:10 -0700 (PDT) In-Reply-To: References: <4C77A267.10102@thelostparadise.com> <5d88fc9506514cabc7390e66a1f9872f@localhost> Date: Sat, 28 Aug 2010 01:41:10 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Marian Hettwer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: vadim_nuclight , freebsd-security , Andy Kosela , Pieter de Boer Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Aug 2010 00:41:12 -0000 i know this attitude from previous experience when sysadmins are afraid of using root shell in general.using sudo is uncomfortable starting with this simple example: $ sudo cat /dev/null >/root/lol bash: /root/lol: Permission denied of course you can work around that but if you say this is efficient i think you are mad :) On Fri, Aug 27, 2010 at 3:32 PM, Marian Hettwer wrote: > On Fri, 27 Aug 2010 15:27:07 +0100, Istv=C3=A1n wrote= : > > > Well to be honest i don't see any case when i want to give sudo+tcpdump > > access to any user on my box. And those who are admins/roots anyway the > "su > > -" just works perfectly and they can run tcpdump. > > > Well, that wasn't an answer to my question or the claim of Andy. > In fact, if you need to give access to some root-only binaries to a > normal user, sudo(8) is the way to go. > With "su -" you would allow full root-access, even though you might > just want to allow specific commands to an unprivileged user. > > so. ehm. no! > In fact, I would suggest to disable root, so that su - doesn't work at > all. > > ./Marian > > --=20 the sun shines for all http://l1xl1x.blogspot.com