[Wylug-discuss] Sudo

[Smylers]

Anne Wilson writes:

> I've never been entirely comfortable with the concept of sudo.

Sudo is great!

* You can give somebody root access without having to tell him the root
  password, meaning that you can later easily revoke access.

* Somebody who needs to run just a few programs as root can be given
  privileges to do that without her being able to run anything as root.

* Or rather than having programs run as root you can invent specific
  accounts for them to run as (which have more privs than your users,
  but less than root).  This makes it easy to do things like having all
  staff be able to run a program without them having privs to read the
  config files used by that program.

* You can have privileges automatically assigned based on Unix user
  groups, so adding somebody to the 'sales' or 'sysadmin' groups
  automatically confers appropriate privs.

* Because nobody ever needs to log in as root you can disable that from
  being possible.

* Because sys-admins running programs using sudo do so from their own
  shells, their own .bashrc, .vimrc, and so on are in effect --
  everybody can have their own preferred config rather than having to
  fight over the config of the root account.

Don't fear sudo!

> Looking at /etc/sudoers on the EeePC I see that it has the line
> 
> user	ALL=(ALL) NOPASSWD:ALL
> 
> Can this really be safe?

Not in the usual sense of the word, no.  (But don't blame sudo for
that!)

But in the context of a home PC it may not be terrible.  Many PCs --
whatever OS they are running -- have only one user, or everybody logs in
as the same user, or everybody has full admin privs anyway (or knows the
root password, or whatever).

The "NOPASSWD:" bit also means that any software you download can easily
run anything as root; without that any human can still choose to run any
command as root, but at least the prompt for his password would make him
aware of it.

Smylers