Hi everyone. I'm wondering if someone can explain the rationale behind sudo. Ubuntu uses sudo by default, rather than having normal root access, although you can use root access if you wish. This is supposedly done with security in mind, but I don't see how it makes things more secure. It seems to me that allowing a user to execute commands which require root privileges, without having the root password, is really dangerous. For example, logged in as bnonn I can execute: $ sudo passwd root And change the root password. This doesn't seem secure to me! What am I missing? Regards Bnonn
On Tue, 2005-04-05 at 00:09 +1200, Bnonn wrote:
What am I missing?
Sudo supports granular controls on what each use can execute, see sudoers(5) for detailed information, but as an Administrator I could give a user permission to perform certain tasks on a machine but not others (IE. They can restart apache, but not anything else). Sudo logs each command that is executed, this provides the administrator with an audit trail of what commands users have been executing as root on the machine. Yes this can be easily bypassed, but that's where usage policy comes in... Regards -- Matt Brown matt(a)mattb.net.nz Mob +64 275 611 544 www.mattb.net.nz
I'm wondering if someone can explain the rationale behind sudo. Ubuntu uses sudo by default, rather than having normal root access, although you can use root access if you wish. This is supposedly done with security in mind, but I don't see how it makes things more secure. It seems to me that allowing a user to execute commands which require root privileges, without having the root password, is really dangerous. For example, logged in as bnonn I can execute:
$ sudo passwd root
And change the root password. This doesn't seem secure to me!
What am I missing?
Ubuntu's decision is more a social one than a technical one. If you are asked at install time to create two passwords, one for 'root' and one for your user, chances are they will either be the same, or insecure, or forgotten, or you won't see the point of the root password and leave it blank, etc. If you only have one password, you remember it (you use it every day), hopefully you rotate it. You don't get confused about which one to enter if you're asked to enter the password, although this one really only applies to new users. It is also the model that Mac OS X uses, I believe. Only the first user created on an Ubuntu system has sudo access to everything. This suits a single user desktop machine really well, and if it doesn't suit your needs, it's very easy to change. You've already told us how! If you want to set the root password you're allowed to, but sudo is a great idea for giving people administrative access without having to let them know the root password (or in this case, without even having one.) Craig
Fix your reader.
As humourous as this thread is, HTML mails generally are discouraged to mailing lists, as a form of netiquette. If you send both HTML and plain text, then at least a sensible reader will only show plain text in appropriate circumstances, however it's still not preferred. If you can't make your mailer send both html and plaintext, then I'd go with the grandparent's advice of "Fix your mailer"
Daniel Lawson wrote:
As humourous as this thread is, HTML mails generally are discouraged to mailing lists, as a form of netiquette. If you send both HTML and plain text, then at least a sensible reader will only show plain text in appropriate circumstances, however it's still not preferred. If you can't make your mailer send both html and plaintext, then I'd go with the grandparent's advice of "Fix your mailer"
I'd also like to suggest that a good way to solve this problem might be a polite off-list reply to the "offender", asking them to fix their mailer. A terse public complaint, while it may make you feel all superior, does nothing but get peoples backs up. Yes, I've been guilty of this in the past, but I'm trying! (Very trying...) G.
I'm happy to alter my mailer to observe the netiquette you speak of. I'm afraid I wasn't aware of it. What is the reason behind it, may I ask? Greig McGill wrote:
Daniel Lawson wrote:
As humourous as this thread is, HTML mails generally are discouraged to mailing lists, as a form of netiquette. If you send both HTML and plain text, then at least a sensible reader will only show plain text in appropriate circumstances, however it's still not preferred. If you can't make your mailer send both html and plaintext, then I'd go with the grandparent's advice of "Fix your mailer"
I'd also like to suggest that a good way to solve this problem might be a polite off-list reply to the "offender", asking them to fix their mailer. A terse public complaint, while it may make you feel all superior, does nothing but get peoples backs up. Yes, I've been guilty of this in the past, but I'm trying! (Very trying...)
G.
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
Not everyone uses mail clients that support HTML. Also, sending HTML to a list is somewhat pointless, because Mailing List readers don't tend to care how fancy an email is, it's about the content. On Apr 5, 2005 10:20 AM, Bnonn <bnonn(a)orcon.net.nz> wrote:
I'm happy to alter my mailer to observe the netiquette you speak of. I'm afraid I wasn't aware of it. What is the reason behind it, may I ask?
Greig McGill wrote:
Daniel Lawson wrote:
As humourous as this thread is, HTML mails generally are discouraged to mailing lists, as a form of netiquette. If you send both HTML and plain text, then at least a sensible reader will only show plain text in appropriate circumstances, however it's still not preferred. If you can't make your mailer send both html and plaintext, then I'd go with the grandparent's advice of "Fix your mailer"
I'd also like to suggest that a good way to solve this problem might be a polite off-list reply to the "offender", asking them to fix their mailer. A terse public complaint, while it may make you feel all superior, does nothing but get peoples backs up. Yes, I've been guilty of this in the past, but I'm trying! (Very trying...)
G.
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
-- Ed Linklater Director Urban Culture [ www.urbanculture.co.nz | www.thecrew.co.nz ]
participants (7)
-
Bnonn -
Craig Box -
Daniel Lawson -
Ed Linklater -
Greig McGill -
James Clark -
Matt Brown