edit root alias when installing the OS
pemboa at gmail.com
Thu Jan 5 19:48:02 UTC 2006
On 1/5/06, Tommy Reynolds <Tommy.Reynolds at megacoder.com> wrote:
> Uttered n0dalus <n0dalus+redhat at gmail.com>, spake thus:
> > I know other distributions do this, but I don't think it is a good
> > idea. Adding the first user to /etc/sudoers means that any malware
> > only needs to get that user's password, or get itself to run after you
> > use sudo, and then it gets root access.
> > I don't see what is wrong with using su.
> 1) Once any non-admin learns the root password, everybody knows the root
> password. And unless the admin wants to do every trivial admin
> activity, the root password must be given out and thus compromized.
> 2) Root logins are security problems because you can't tell which
> human actually logged on in the guise of root. Whom do you fire,
> even if you figure out what was done?
> 3) Sudo(1) allows fine control over which programs a user can run as
> any other user.
> 4) With sudo(1), an authenticated user must reauthenticate to run a
> program as another user. (Trusted users need not reauthenticate.)
> 5) Sudo(1) logs the activity so you will have an audit trail. System
> console, and syslog.
> Using sudo(1) is a big security win. Unfortunately, the man(1) page
> is a bit confusing for newbies and using su(8) seems so convenient.
> But with a small setup step, I can safely allow:
> $ sudo rpm -Uvh /path/to/a/package
> to be run by a trusted user because I'll get notices about it the
> attempt, its success or failure, as well as getting a record about
> what command line was used.
> Seems to me that there is a need for a system-config-sudo from someone who
understands it all. I am ashamed to say that I have very little about it.
As a boy I jumped through Windows, as a man I play with Penguins.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the fedora-devel-list