Date: Thu, 21 Jul 2005 12:06:44 -0700 From: Stephen Major <smajor@gmail.com> To: <freebsd-security@freebsd.org> Subject: FW: FW: FW: Adding OpenBSD sudo to the FreeBSD base system? Message-ID: <42dff246.10290f5b.7a23.ffff8bbe@mx.gmail.com>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I have grabbed some quotes from various discussions on this topic these are other peoples opinions! ">Regarding su vs. direct login, you should use su, it doesn't give > you much, but it does give you knowledge of who logged in as root > and when (provided that he did not edit the logs :-) Yes, it gives you a huge advantage, assuming you disable direct root logins and only certain accounts are allowed to run su(1). The advantage is that in order to gain root access, you must compromise either a daemon running as root, or an account capable of running su. This decreases your vulnerable profile, as only certain accounts can be used to gain root privileges at all." "> Regarding su vs. direct login, you should use su, it doesn't give > you much, but it does give you knowledge of who logged in as root > and when (provided that he did not edit the logs :-) And if you follow up by disabling direct root logins, you now must first authenticate as a user in order to attempt to guess the root password, and you get those attempts logged. That's a bigger win than logging successful root logins IMO :-) The biggest advantage of sudo, though, is less security-related and more "what did that admin do at 3 am?". Because sudo logs every command, you can see just what was done. Obviously, a malicious user could circumvent this most if not all of the time, but it can be great for seeing what was done with good intentions." "Understand I am NOT arguing against sudo. Properly setup, it's a wonderful tool for giving the power you want to sub-admins and even co-admins get benefit from using it. But that doesn't mean that I'd lock myself out of root entirely as Apple has done. This is an area where they did it wrong, just like having tcsh as the default shell." And beyond that how many holes you going to create by replacing su with sudo just because some admin does not know how to configure it correctly? I too understand the usefulness of the tool but do not replace su with it, many of us like su and how it operates. My servers for instance have 2 accounts in the wheel group, and su to root is perfect for that application. - -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Mike Hunter Sent: Thursday, July 21, 2005 11:55 AM To: Stephen Major Cc: freebsd-security@freebsd.org Subject: Re: FW: FW: Adding OpenBSD sudo to the FreeBSD base system? On Jul 21, "Stephen Major" wrote: > Sudo requires extra configuration that su does not. > > Why should I have to waste my time configuring another app just because a > handful of people want it? I like su and how it works and I guarantee I am > not the only one. You want it replaced replace it your self > cd /usr/ports/security/sudo && make install clean > > That simple! Don't waste our time because you want something to be easier > for you Last week I had to do a little work on a 1980's AT&T Unix box. I'm glad that yours isn't the only opinion that has shaped the evolution of unix, or else I'd probably still be using such OSes all day! Sudo is a great tool, and adding it as part of the base system would be a great way to advance the FreeBSD security and usability baseline. After time, maybe enough people would start using sudo in place of su and it would be time to consider retiring su...a process that has happened thousands of times as a natural part of an evolving OS. Mike _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQt/yRqKXvLS903/FAQq5xggAnjeB7D1DJXIj64lBCxvRQ/uIsDlXm94h ey+3c9DLh1jpfUXcNInPi5wSVC8mJDWnu/msT1dWL9hwJvM7+N7WcEgeAOX0D8A2 ZUeE8jhukSLdSDCa1le9htOYkyTgNpgOpqodMeo5p8o/tIvh4YGybC1yQ4gZh2J3 Uq+JmbbciDYesP/NgITlLZei2INAZinhDyQwDkabWiRkrxIWzfYUlhWZpV48H7ov UiGDMkqMkhqTuMc7H/FuMxMEIKmvEhKYpxI/seY2DFxak2puWwSEU1rVpkzbf5bA s0G9w0tdxw4ohQXukLG0O2pp+/7DJloJmsTI7+/wKp8eyqsWnAxY6g== =jao8 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42dff246.10290f5b.7a23.ffff8bbe>