14 Dec
2011
14 Dec
'11
11:49 a.m.
From: Sean Conner
Sent: Wednesday, December 14, 2011 11:16 AM
It was thus said that the Great Jochen Kunz once
stated:
> On Wed, 14 Dec 2011 00:48:15 +0000
> Liam Proven <lproven at gmail.com>> wrote:
>> Ditto, and a decent security measure too.
> It would be acceptable as a security measure to
restrict root login to
> the local text console. This prevents "missuse" of the root account but
> makes the system accessible in the event of a failure. If e.g. NIS
> breaks you can't get into a Ubuntu machine to fix the problem. All you
> can do in that situation is to hit the reset button and boot single
> user. But that is an other story...
GenericUbuntuNonRootUserPrompt% sudo vi
(while in vi)
:shell
Have fun.
-spc (Has had to do that a few times on fresh Ubuntu
installs)
That's an awful lot of schratzing around to accomplish what a simple
GUNRUP% sudo /bin/bash
will do for you. (I use this frequently on my Snow Leopard system.)
Rich Alderson
Vintage Computing Sr. Server Engineer
Vulcan, Inc.
505 5th Avenue S, Suite 900
Seattle, WA 98104
mailto:RichA at vulcan.com
mailto:RichA at LivingComputerMuseum.org
http://www.LivingComputerMuseum.org/
14 Dec
14 Dec
12:47 p.m.
In article <539CFBE84C931A4E8516F3BBEA36C7AA4D7E8D75 at 505MBX1.corp.vnw.com>,
Rich Alderson <RichA at vulcan.com> writes:
That's an awful lot of schratzing around to
accomplish what a simple
GUNRUP% sudo /bin/bash
will do for you. (I use this frequently on my Snow Leopard system.)
Is there some reason you don't do 'sudo -i'?
--
"The Direct3D Graphics Pipeline" -- DirectX 9 version available for download
<http://legalizeadulthood.wordpress.com/the-direct3d-graphics-pipeline/>
Legalize Adulthood! <http://legalizeadulthood.wordpress.com>
1:21 p.m.
It was thus said that the Great Richard once stated:
In article <539CFBE84C931A4E8516F3BBEA36C7AA4D7E8D75 at 505MBX1.corp.vnw.com>,
Rich Alderson <RichA at vulcan.com> writes:
Basically, yes. I *loathe* sudo [1], so the less I have to use it, the
better. I made the assumption that sudo bash (or any other number of
commands that have been presented) were locked, because what's the *point*
of sudo if you can just simply do "sudo bash"? [3]
-spc (sudo this, sudo that, sudo something else ... for more than one
command, sudo is an annoyance ... )
[1] It doesn't protect the system at *all*. Or rather, to prevent shell
access via sudo [2], you need to go to insane lengths in tightening
down the system. @#$@#$ that! I'll su, thank you very much.
[2] Because root shell access can cause a great amount of damage. [3]
[3] Sudo was to allow non-root users to do root-like things, but *not*
to run a @#$@ shell, or else, why not just give the users root
access? I mean---hello! Am I missing something?
That's an awful lot of schratzing around to
accomplish what a simple
GUNRUP% sudo /bin/bash
will do for you. (I use this frequently on my Snow Leopard system.)
Is there some reason you don't do 'sudo -i'? 
1:32 p.m.
On 12/14/2011 04:21 PM, Sean Conner wrote:
It was thus said that the Great Richard once stated:
We use a common root password on our machines but we don't want to give
some of the people who do admin things on those machine the common
password -- so we give them sudo access on the machines they need to do
admin on and don't really restrict what they can do with it because we
"trust" them :)
Brian
In
article<539CFBE84C931A4E8516F3BBEA36C7AA4D7E8D75 at 505MBX1.corp.vnw.com>,
Rich Alderson<RichA at vulcan.com> writes:
Basically, yes. I *loathe* sudo [1],
so the less I have to use it, the
better. I made the assumption that sudo bash (or any other number of
commands that have been presented) were locked, because what's the *point*
of sudo if you can just simply do "sudo bash"? [3]
-spc (sudo this, sudo that, sudo something else ... for more than one
command, sudo is an annoyance ... )
[1] It doesn't protect the system at *all*. Or rather, to prevent shell
access via sudo [2], you need to go to insane lengths in tightening
down the system. @#$@#$ that! I'll su, thank you very much.
[2] Because root shell access can cause a great amount of damage. [3]
[3] Sudo was to allow non-root users to do root-like things, but *not*
to run a @#$@ shell, or else, why not just give the users root
access? I mean---hello! Am I missing something? That's an awful lot of schratzing around to
accomplish what a simple
GUNRUP% sudo /bin/bash
will do for you. (I use this frequently on my Snow Leopard system.)
Is there some
reason you don't do 'sudo -i'?
1:57 p.m.
It was thus said that the Great Brian Wheeler once stated:
On 12/14/2011 04:21 PM, Sean Conner wrote:
You don't trust some users with the root password, but you allow them a
root shell via sudo and trust them not to install back doors.
-spc (My head a splode ... )
It was thus said that the Great Richard once
stated:
We use a common root password on our machines but we don't want to give
some of the people who do admin things on those machine the common
password -- so we give them sudo access on the machines they need to do
admin on and don't really restrict what they can do with it because we
"trust" them :) In
article<539CFBE84C931A4E8516F3BBEA36C7AA4D7E8D75 at 505MBX1.corp.vnw.com>,
Rich Alderson<RichA at vulcan.com> writes:
Basically, yes. I *loathe* sudo [1],
so the less I have to use it, the
better. I made the assumption that sudo bash (or any other number of
commands that have been presented) were locked, because what's the *point*
of sudo if you can just simply do "sudo bash"? [3]
-spc (sudo this, sudo that, sudo something else ... for more than one
command, sudo is an annoyance ... )
[1] It doesn't protect the system at *all*. Or rather, to prevent shell
access via sudo [2], you need to go to insane lengths in tightening
down the system. @#$@#$ that! I'll su, thank you very much.
[2] Because root shell access can cause a great amount of damage. [3]
[3] Sudo was to allow non-root users to do root-like things, but *not*
to run a @#$@ shell, or else, why not just give the users root
access? I mean---hello! Am I missing something? That's an awful lot of schratzing around to
accomplish what a simple
GUNRUP% sudo /bin/bash
will do for you. (I use this frequently on my Snow Leopard system.)
Is there some
reason you don't do 'sudo -i'? 
4:29 p.m.
You don't trust some users with the root password,
but you allow them
a root shell via sudo and trust them not to install back doors.
-spc (My head a splode ... )
Yes. Trust is not a single-dimensioned thing.
The set of users trusted to be non-malicious is quite often very far
from the same set as the set of users trusted to not
make disastrous
mistakes by accident when handed a full-powered root shell. sudo
used
as described (in text I cut) is entirely appropriate for those who are
in the former set but not the latter set. (Well, to the extent that
sudo is appropriate for anything at all; after trying to install it at
work, I don't really consider it so.)
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
4:35 p.m.
On Wed, Dec 14, 2011 at 04:57:15PM -0500, Sean Conner wrote:
It was thus said that the Great Brian Wheeler once
stated:
Makes perfect sense. If you are afraid of them installing backdoors,
you shouldn't grant them _any_ shell access to the system at all.
The "common" root password probably is also used for machines those guys
are not supposed to have root on.
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
On 12/14/2011 04:21 PM, Sean Conner wrote:
You don't trust some users with the root password, but you allow them a
root shell via sudo and trust them not to install back doors. It was thus said that the Great Richard once
stated:
We use a common root password on our machines but we don't want to give
some of the people who do admin things on those machine the common
password -- so we give them sudo access on the machines they need to do
admin on and don't really restrict what they can do with it because we
"trust" them :) In
article<539CFBE84C931A4E8516F3BBEA36C7AA4D7E8D75 at 505MBX1.corp.vnw.com>,
Rich Alderson<RichA at vulcan.com> writes:
>That's an awful lot of schratzing around to accomplish what a simple
>
> GUNRUP% sudo /bin/bash
>
>will do for you. (I use this frequently on my Snow Leopard system.)
Is there some reason you don't do 'sudo -i'?
Basically, yes. I
*loathe* sudo [1], so the less I have to use it, the
better. I made the assumption that sudo bash (or any other number of
commands that have been presented) were locked, because what's the *point*
of sudo if you can just simply do "sudo bash"? [3]
-spc (sudo this, sudo that, sudo something else ... for more than one
command, sudo is an annoyance ... )
[1] It doesn't protect the system at *all*. Or rather, to prevent shell
access via sudo [2], you need to go to insane lengths in tightening
down the system. @#$@#$ that! I'll su, thank you very much.
[2] Because root shell access can cause a great amount of damage. [3]
[3] Sudo was to allow non-root users to do root-like things, but *not*
to run a @#$@ shell, or else, why not just give the users root
access? I mean---hello! Am I missing something? 
15 Dec
15 Dec
6:02 a.m.
One reason to use/require sudo of root commands that I've seen was for auditing the
use of root access/commands. It wasn't for security purposes other than yes to give
approved people access to priviledged commands using their password and not reveal the
root password, however it nicely logs to your logging server that user ran x command. It
was a pain yes I wouldn't argue that and the change of habit from admins sudoing to su
takes a bit to get out of autopilot mode but it worked out in the end.
The other comment was no of course it isn't a security measure or preventing a
non-admin from creating an account, however every employer/employee should be getting a
nice little motd or security message indicating proper authorized use of the system and
lack of expectation to privacy. Creating an administrative account/backdoor would be good
grounds to be fired. It's just a security control.
--- On Wed, 12/14/11, Alexander Schreiber <als at thangorodrim.de> wrote:
>
>???-spc (sudo this, sudo that,
sudo something else ... for more than one
> >??? command, sudo is an
annoyance
... )
???You don't trust some users with the
root password, but you allow them a
root shell via sudo and trust them not to install
back
doors.? 
4:03 p.m.
On 12/15/11 6:02 AM, "Sam Onella" <barythrin at yahoo.com> wrote:
One reason to use/require sudo of root commands that
I've seen was for
auditing the use of root access/commands. It wasn't for security
purposes other than yes to give approved people access to priviledged
commands using their password and not reveal the root password, however
it nicely logs to your logging server that user ran x command. It was a
pain yes I wouldn't argue that and the change of habit from admins
sudoing to su takes a bit to get out of autopilot mode but it worked out
in the end.
The other comment was no of course it isn't a security measure or
preventing a non-admin from creating an account, however every
employer/employee should be getting a nice little motd or security
message indicating proper authorized use of the system and lack of
expectation to privacy. Creating an administrative account/backdoor
would be good grounds to be fired. It's just a security control.
Yeah, locks keep honest people honest. The purpose of security measures
is to raise the price too high to make it worth stealing. (Example: "If
you value your life as much as I value this motorcycle, don't [action
verb] with it!") -- Ian
14 Dec
14 Dec
7:03 p.m.
On Wed, 2011-12-14 at 16:57 -0500, Sean Conner wrote:
It was thus said that the Great Brian Wheeler once
stated:
We don't trust them on all of the machines, just a small subset. Since
we're all in the same department, its mostly a sanity check thing rather
than a lockdown.
On 12/14/2011 04:21 PM, Sean Conner wrote:
You don't trust some users with the root password, but you allow them a
root shell via sudo and trust them not to install back doors.
-spc (My head a splode ... )
It was thus said that the Great Richard once
stated:
We use a common root password on our machines but we don't want to give
some of the people who do admin things on those machine the common
password -- so we give them sudo access on the machines they need to do
admin on and don't really restrict what they can do with it because we
"trust" them :) In
article<539CFBE84C931A4E8516F3BBEA36C7AA4D7E8D75 at 505MBX1.corp.vnw.com>,
Rich Alderson<RichA at vulcan.com> writes:
>That's an awful lot of schratzing around to accomplish what a simple
>
> GUNRUP% sudo /bin/bash
>
>will do for you. (I use this frequently on my Snow Leopard system.)
Is there some reason you don't do 'sudo -i'?
Basically, yes. I
*loathe* sudo [1], so the less I have to use it, the
better. I made the assumption that sudo bash (or any other number of
commands that have been presented) were locked, because what's the *point*
of sudo if you can just simply do "sudo bash"? [3]
-spc (sudo this, sudo that, sudo something else ... for more than one
command, sudo is an annoyance ... )
[1] It doesn't protect the system at *all*. Or rather, to prevent shell
access via sudo [2], you need to go to insane lengths in tightening
down the system. @#$@#$ that! I'll su, thank you very much.
[2] Because root shell access can cause a great amount of damage. [3]
[3] Sudo was to allow non-root users to do root-like things, but *not*
to run a @#$@ shell, or else, why not just give the users root
access? I mean---hello! Am I missing something? 
1:40 p.m.
On Dec 14, 2011, at 4:21 PM, Sean Conner wrote:
It was thus said that the Great Richard once stated:
The point is so you don't do something stupid accidentally, like "chmod -R 666
/". It's just a safety; it's not meant to lock people out of having root
shells, it's just to prevent them from doing it routinely. It's been useful to me
in that respect, as it has prevented me from doing stupid things accidentally because I
wasn't in a root shell.
It also has the alternate function of granting limited admin powers to non-superusers, but
I would argue that anything other than a whitelist of commands is asking for trouble in
that regard (and it's probably just not a great idea in general, given how many
programs have doors out the side, like vi).
- Dave
In article <539CFBE84C931A4E8516F3BBEA36C7AA4D7E8D75 at 505MBX1.corp.vnw.com>,
Rich Alderson <RichA at vulcan.com> writes:
Basically, yes. I *loathe* sudo [1], so the less I have to use it, the
better. I made the assumption that sudo bash (or any other number of
commands that have been presented) were locked, because what's the *point*
of sudo if you can just simply do "sudo bash"? [3] That's an awful lot of schratzing around to
accomplish what a simple
GUNRUP% sudo /bin/bash
will do for you. (I use this frequently on my Snow Leopard system.)
Is there some reason you don't do 'sudo -i'?
4:40 p.m.
On Wed, Dec 14, 2011 at 04:40:44PM -0500, David Riley wrote:
On Dec 14, 2011, at 4:21 PM, Sean Conner wrote:
It depends. For instance on workstations you might grant the official
user of the machine unlimited sudo access, using it just as a conscious
barrier: "cross this line and you can _really_ break stuff". Backstop
that with a standard configuration management system (like cfengine) to
keep the machine automagically within the standard setup.
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
It was thus said that the Great Richard once
stated:
The point is so you don't do something stupid accidentally, like "chmod -R
666 /". It's just a safety; it's not meant to lock people out of having
root
shells, it's just to prevent them from doing it routinely. It's been useful
to me in that respect, as it has prevented me from doing stupid things
accidentally because I wasn't in a root shell.
It also has the alternate function of granting limited admin powers to
non-superusers, but I would argue that anything other than a whitelist of
commands is asking for trouble in that regard (and it's probably just not a
great idea in general, given how many programs have doors out the side, like
vi).
In article <539CFBE84C931A4E8516F3BBEA36C7AA4D7E8D75 at 505MBX1.corp.vnw.com>,
Rich Alderson <RichA at vulcan.com> writes:
Basically, yes. I *loathe* sudo [1], so the less I have to use it, the
better. I made the assumption that sudo bash (or any other number of
commands that have been presented) were locked, because what's the *point*
of sudo if you can just simply do "sudo bash"? [3] That's an awful lot of schratzing around to
accomplish what a simple
GUNRUP% sudo /bin/bash
will do for you. (I use this frequently on my Snow Leopard system.)
Is there some reason you don't do 'sudo -i'?
9:51 p.m.
It was thus said that the Great David Riley once stated:
On Dec 14, 2011, at 4:21 PM, Sean Conner wrote:
So far, the only difference I see between "su -" and "sudo -s" is
what
password I type. I've helped other admins set up sudo. That's why I don't
bother with it, becuase it's a freaking pain to set up to allow "limited"
access.
When I beome root, it's to run a series of commands, and to become root, I
have to type in a command. And in fact, I can't remember the last time I
ran only *one* command as root. And frankly, I don't become root very often
(just to install software (compiled from the tarball, or maybe the package
system du jour) or restart a downed or non-functioning daemon).
Have I accidentally deleted files? Yeah, but I've done that as a non-root
user with disasterous results. Those using sudo because "it's more secure"
are deluding themselves, in my opinion.
It was thus said that the Great Richard once
stated:
The point is so you don't do something stupid accidentally, like "chmod -R
666 /". It's just a safety; it's not meant to lock people out of having
root shells, it's just to prevent them from doing it routinely. It's been
useful to me in that respect, as it has prevented me from doing stupid
things accidentally because I wasn't in a root shell.
In article <539CFBE84C931A4E8516F3BBEA36C7AA4D7E8D75 at 505MBX1.corp.vnw.com>,
Rich Alderson <RichA at vulcan.com> writes:
Basically, yes. I *loathe* sudo [1], so the less I have to use it, the
better. I made the assumption that sudo bash (or any other number of
commands that have been presented) were locked, because what's the *point*
of sudo if you can just simply do "sudo bash"? [3] That's an awful lot of schratzing around to
accomplish what a simple
GUNRUP% sudo /bin/bash
will do for you. (I use this frequently on my Snow Leopard system.)
Is there some reason you don't do 'sudo -i'? It also has the alternate function of granting limited
admin powers to
non-superusers, but I would argue that anything other than a whitelist of
commands is asking for trouble in that regard (and it's probably just not
a great idea in general, given how many programs have doors out the side,
like vi).
I can't think of many commands that 1) won't give you root access via some
method, or 2) are very useful by themselves as a one-off in root.
-spc (But I can see I'm in a very small minority ... )
15 Dec
15 Dec
7:16 a.m.
So far, the only difference I see between "su
-" and "sudo -s" is
what password I type.
I _think_ "su -" uses root's shell and "sudo -s" uses your shell.
Those using sudo because "it's more
secure" are deluding themselves,
in my opinion.
Actually, there are threats it's more secure against than simple su.
(Not to say that all, or even most, of those espousing the "It's More
Secure" theory have bothered with threat modeling, or even know the
concept; Sturgeon's Law applies.)
I can't think of many commands that 1) won't
give you root access via
some method, or 2) are very useful by themselves as a one-off in
root.
(1) doesn't matter unless you are dealing with malicious attackers.
While I don't have enough information to say anything about how common
they are among sudo users, there _are_ plenty of potential sudo uses
that do not have to worry about them.
As for (2), there are lots of commands that are useful as one-offs when
run as root. At least a few of them have fairly low "pervert to obtain
root access" potential; for example, the desire that led me to muck
about with sudo most recently was the desire to give someone tcpdump
access on a particular interface of a particular machine - not
particularly dangerous, especially since it's also a case of a user
who's trusted to be non-malicious, just not trusted with the mistake
potential a full root shell carries.
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
14 Dec
14 Dec
2:02 p.m.
On 14/12/11 21:21, Sean Conner wrote:
[3] Sudo was to allow non-root users to do root-like
things, but *not*
to run a @#$@ shell, or else, why not just give the users root
access? I mean---hello! Am I missing something?
It makes it easier to administer the 'right to run commands as root'
privilege:
* If all you have is 'su', you have to give the root password to
everyone who needs to run commands as root. If that password changes,
you now need to give it to all the other admins / root users.
* If the root password is compromised, you have to change it... and give
the new one out again.
* The user doesn't need to remember two passwords (their logon password
and the root password). Convenience factor.
* If a user only needs to run one command as root (say, mksquashfs) then
you add that to 'sudoers' as an explicit-allow rule.
--
Phil.
classiccmp at philpem.me.uk
http://www.philpem.me.uk/
2:03 p.m.
[3] Sudo was to allow non-root users to do root-like
things, but
*not* to run a @#$@ shell, or else, why not just give the users
root access? I mean---hello! Am I missing something?
With sudo, it's a lot easier to revoke one person's ability to do stuff
without needing to distribute a new password to everyone else, as
compared to traditional su.
Of course, that's not always of much value. On a personal machine, on
a machine on which only a tiny number of people should ahve privileged
access of any sort, that doesn't matter so much.
And, yes, some uses of sudo _are_ supposed to prevent shell access by
some people while still allowing them to do certain other things.
Presumably such people aren't going to be running full-fleged vi (or
various other programs) through sudo, of course, because of exactly
this possibility.
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
4:42 p.m.
On Wed, Dec 14, 2011 at 05:03:48PM -0500, Mouse wrote:
Well, if you want to use sudo to allow people _some_ privileged actions
while keeping them away from unlimited root, you _really_ have to very
carefully audit what you give them access to. The shell escape in the
editor being an eternal classic ;-)
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
[3] Sudo was
to allow non-root users to do root-like things, but
*not* to run a @#$@ shell, or else, why not just give the users
root access? I mean---hello! Am I missing something?
With sudo, it's a lot easier to revoke one person's ability to do stuff
without needing to distribute a new password to everyone else, as
compared to traditional su.
Of course, that's not always of much value. On a personal machine, on
a machine on which only a tiny number of people should ahve privileged
access of any sort, that doesn't matter so much.
And, yes, some uses of sudo _are_ supposed to prevent shell access by
some people while still allowing them to do certain other things.
Presumably such people aren't going to be running full-fleged vi (or
various other programs) through sudo, of course, because of exactly
this possibility. 
4:33 p.m.
On Wed, Dec 14, 2011 at 04:21:12PM -0500, Sean Conner wrote:
It was thus said that the Great Richard once stated:
To put up a conscious barrier before being handed a loaded shotgun that
helpfully already points at your foot and has the safety disabled ;-)
Also, in true multiuser environments, to limit who is allowed to destroy the
system when - not if - he fucks up. For instance, for corporate workstations
you might grant everybody in the team/group login access, but only the
official "owner" and the workstation support team gets root access via sudo.
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
In article <539CFBE84C931A4E8516F3BBEA36C7AA4D7E8D75 at 505MBX1.corp.vnw.com>,
Rich Alderson <RichA at vulcan.com> writes:
Basically, yes. I *loathe* sudo [1], so the less I have to use it, the
better. I made the assumption that sudo bash (or any other number of
commands that have been presented) were locked, because what's the *point*
of sudo if you can just simply do "sudo bash"? [3] That's an awful lot of schratzing around to
accomplish what a simple
GUNRUP% sudo /bin/bash
will do for you. (I use this frequently on my Snow Leopard system.)
Is there some reason you don't do 'sudo -i'? 
5:48 p.m.
On 12/14/2011 07:33 PM, Alexander Schreiber wrote:
Also, in true multiuser environments, to limit who is
allowed to destroy the
system when - not if - he fucks up. For instance, for corporate workstations
you might grant everybody in the team/group login access, but only the
official "owner" and the workstation support team gets root access via sudo.
Kerberos is wonderful for this sort of thing; I've used it with great
success. Each user has *their own* root password (or "become root"
password, if you will) in each administrative "realm" (a Kerberos term),
it only works for that user, and on what machine it works is
controllable on a machine-by-machine basis.
-Dave
--
Dave McGuire
New Kensington, PA
21 Dec
21 Dec
6:58 a.m.
then don't let them sudo bash.restrict sudo to the actual binary they need to
run.simple.
and don't forget: sudo make me a sandwich
Dan.
Date: Wed, 14 Dec 2011 16:21:12 -0500
From: spc at conman.org
To: cctalk at classiccmp.org
Subject: Re: breaking out of *n*x jails
It was thus said that the Great Richard once stated:
In article <539CFBE84C931A4E8516F3BBEA36C7AA4D7E8D75 at 505MBX1.corp.vnw.com>,
Rich Alderson <RichA at vulcan.com> writes:
Basically, yes. I *loathe* sudo [1], so the less I have to use it, the
better. I made the assumption that sudo bash (or any other number of
commands that have been presented) were locked, because what's the *point*
of sudo if you can just simply do "sudo bash"? [3]
-spc (sudo this, sudo that, sudo something else ... for more than one
command, sudo is an annoyance ... )
[1] It doesn't protect the system at *all*. Or rather, to prevent shell
access via sudo [2], you need to go to insane lengths in tightening
down the system. @#$@#$ that! I'll su, thank you very much.
[2] Because root shell access can cause a great amount of damage. [3]
[3] Sudo was to allow non-root users to do root-like things, but *not*
to run a @#$@ shell, or else, why not just give the users root
access? I mean---hello! Am I missing something?
That's an awful lot of schratzing around to
accomplish what a simple
GUNRUP% sudo /bin/bash
will do for you. (I use this frequently on my Snow Leopard system.)
Is there some reason you don't do 'sudo -i'?
14 Dec
14 Dec
4:27 p.m.
On Wed, Dec 14, 2011 at 07:49:39PM +0000, Rich Alderson wrote:
From: Sean Conner
Sent: Wednesday, December 14, 2011 11:16 AM
Too much typing: "sudo -s" ;-)
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
It was thus said that the Great Jochen Kunz once
stated:
> On Wed, 14 Dec 2011 00:48:15 +0000
> Liam Proven <lproven at gmail.com>> wrote:
>> Ditto, and a decent security measure too.
> It would be acceptable as a security measure
to restrict root login to
> the local text console. This prevents "missuse" of the root account but
> makes the system accessible in the event of a failure. If e.g. NIS
> breaks you can't get into a Ubuntu machine to fix the problem. All you
> can do in that situation is to hit the reset button and boot single
> user. But that is an other story...
GenericUbuntuNonRootUserPrompt% sudo vi
(while in vi)
:shell
Have fun.
-spc (Has had to do that a few times on fresh
Ubuntu installs)
That's an awful lot of schratzing around to accomplish what a simple
GUNRUP% sudo /bin/bash
4751
days inactive
4758
days old
23 comments
14 participants
participants (14)
-
als@thangorodrim.de -
barythrin@yahoo.com -
bdwheele@indiana.edu -
bfranchuk@jetnet.ab.ca -
cisin@xenosoft.com -
classiccmp@philpem.me.uk -
dgahling@hotmail.com -
fraveydank@gmail.com -
IanK@vulcan.com -
legalize@xmission.com -
mcguire@neurotica.com -
mouse@Rodents-Montreal.ORG -
RichA@vulcan.com -
spc@conman.org