How do you feel about sudo Post: 302106247

Sponsored Content

The Lounge What is on Your Mind? How do you feel about sudo Post 302106247 by Perderabo on Wednesday 7th of February 2007 10:48:00 AM

02-07-2007

Administrator Emeritus

sudo does not enhance security. Remove sudo and you will have a more secure system. But if you want to give a non-root user the power to run a few commands as root, sudo is a way to do that. sudo is open source and it has been around for quite a while. Lots of very smart people have inspected it for problems. There don't seem to be any surprises lurking in it. sudo is configurable and it can easily be misconfigured. So I trust sudo but I trust a system with sudo in use only after I inspect the configuration. One better approach is to not need sudo or anything like it. Need a command run as root? Contact an SA. Need to run a command as oracle? Contact a DBA.

An alternative is RBAC (role based access control). The NSA (National Security Agency) assembled a team to develop an RBAC system for Linux and actually posted the source code on the net. I believe that the required kernel changes have been roled into the latest linux kernel. Some distros support RBAC. I don't know a lot about RBAC. Not too many people do... it's rather new. It could certainly be misconfigured as well.

BTW, I fixed that typo.

Perderabo

View Public Profile for Perderabo

Find all posts by Perderabo

6 More Discussions You Might Find Interesting

1. Solaris

Why is the look and feel of CDE still the same?

Hi guys, Why is the look and feel of CDE still the same? It hasn't changed at all. -cadmiumgreen

2. What is on Your Mind?

How Do You Feel About This Site?

OK, be honest ...... :D

3. What is on Your Mind?

Ever feel like a fireworks salesman?

Helping some makes me feel like a fireworks salesman. They have so much power and so little education. "Light fuse on end and drop cracker and run away fast." "How fast?" "Real fast the first time, and then you will know how fast. Oh, do not drop cracker into the bag of...

4. Solaris

How do you feel about the OpenSolaris spinoffs?

Every once in a while, I take a peek at OpenIndiana, Nexenta and Illumos hoping to see the spirit of OpenSolaris rise and fly. But I'm not real impressed with the level of activity. What do you think? Is there still forward progress? Is there a large reservoir of loyal Solaris users that...

5. Shell Programming and Scripting

ssh foo.com sudo command - Prompts for sudo password as visible text. Help?

I am writing a BASH script to update a webserver and then restart Apache. It looks basically like this: #!/bin/bash rsync /path/on/local/machine/ foo.com:path/on/remote/machine/ ssh foo.com sudo /etc/init.d/apache2 reloadrsync and ssh don't prompt for a password, because I have DSA encryption...

6. What is on Your Mind?

Studying but feel like not learning anything

I am trying to study this solaris OS. But each time I study, I feel like I didn't learn anything. Any suggestions? Thanks

LEARN ABOUT OPENSOLARIS

gksu

GKSU(1) 						      General Commands Manual							   GKSU(1)

NAME

       gksu - a Gtk+ su frontend

SYNOPSIS

       gksu [ options ] <command>
       gksudo [ options ] <command>

DESCRIPTION

       This manual page documents briefly gksu and gksudo

       gksu  is  a frontend to su and gksudo is a frontend to sudo.  Their primary purpose is to run graphical commands that need root without the
       need to run an X terminal emulator and using su directly.

OPTIONS

       These programs follow the usual GNU command line syntax, with long options starting with  two  dashes  (`-').   A  summary  of  options	is
       included below.

   Common Options:
       --user <user>, -u <user>

	      Calls <command> as the specified user

       --message <message>, -m <message>

	      Replaces the standard message shown to ask for password for the argument passed to the option

       --sudo-mode, -S

	      Use  sudo  instead  of  su as backend authentication system. Notice that the X authorization magic will not work when using sudo for
	      target users other than root.

       --title <title>, -t <title>

	      Replaces the default title with the argument

       --icon <icon>, -i <icon>

	      Replaces the default window icon with the argument

       --print-pass, -p

	      Asks gksu to print the password to stdout, just like ssh-askpass. Useful to use in scripts with programs that accept  receiving  the
	      password on stdin.

       --disable-grab, -g

	      Disables the "locking" of the keyboard, mouse, and focus done by the program when asking for password

       --ssh-fwd, -s

	      Strip the host part of the $DISPLAY variable, so that GKSu will work on SSH X11 Forwarding.

       --login, -l

	      Makes  this a login shell. Beware this may cause problems with the Xauthority magic. Run xhost to allow the target user to open win-
	      dows on your display! This is ignored if running with sudo as backend for authentication.

       --preserve-env, -k

	      Preserve the current environments, does not set $HOME nor $PATH, for example.

FILES

       /etc/gksu.conf
	      Configuration file to setup system-wide defaults for gksu/gksudo.  It provides an option to force the display grabing, also.

RETURN VALUE

       On success, gksu will return 0. If an authentication error ocurred, it will exit with error code 3. If the  user  canceled  the	dialog	or
       closed the window, it will return error code 2. On other error conditions, gksu will return 1.

NOTE

       Note that <command> and all its arguments should be passed as one single argument to gksu just like one would to when using su.

SEE ALSO

       su(1), gksuexec(1).

AUTHOR

       This manual page was written by Gustavo Noronha Silva <kov@debian.org> for the Debian GNU/Linux system (but may be used by others).

								       2003								   GKSU(1)