On Wed, Dec 14, 2011 at 05:03:48PM -0500, Mouse wrote:
[3] Sudo was
to allow non-root users to do root-like things, but
*not* to run a @#$@ shell, or else, why not just give the users
root access? I mean---hello! Am I missing something?
With sudo, it's a lot easier to revoke one person's ability to do stuff
without needing to distribute a new password to everyone else, as
compared to traditional su.
Of course, that's not always of much value. On a personal machine, on
a machine on which only a tiny number of people should ahve privileged
access of any sort, that doesn't matter so much.
And, yes, some uses of sudo _are_ supposed to prevent shell access by
some people while still allowing them to do certain other things.
Presumably such people aren't going to be running full-fleged vi (or
various other programs) through sudo, of course, because of exactly
this possibility.
Well, if you want to use sudo to allow people _some_ privileged actions
while keeping them away from unlimited root, you _really_ have to very
carefully audit what you give them access to. The shell escape in the
editor being an eternal classic ;-)
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison