Why reccomend Bash shell?
Kevin D. Kinsey, DaleCo, S.P.
kdk at daleco.biz
Thu Dec 16 14:39:39 PST 2004
Paul Schmehl wrote:
> --On Thursday, December 16, 2004 11:11:03 AM +0000 Matthew Seaman
> <m.seaman at infracaninophile.co.uk> wrote:
>
>>
>> On the other hand, I take the view that the less done by the super user
>> the better, and discourage myself to use sudo(1) preferentially and to
>> keep su(1) sessions as short as possible by making root's shell as
>> /unfriendly/ as possible.
>>
> Is this a religious argument? Or is there a sound security basis for it?
>
> I ask because I'm not sure I see the difference. I prefer to leave sudo
> set up to prompt for a password. This at least reminds you that what
> you're doing is "root's" work (and if you screw up, you could do "bad"
> things.) If I'm going to do a lot of work, I just su - to root, do
> the work
> and then get out. I don't allow remote root access, so I'm wondering -
> am I exposing my systems to some unnecessary risk? Or is this just
> a matter of personal preference?
The primary reason, IMHO, for such an opinion is just what you
mention --- the danger that, as root, you'll fsck some command
line (the infamous "rm -rf /*") and cook your goose in its own grease....
[Come to think of it, I got myself in a little trouble once by quitting
the editor on /etc/fstab a little too quickly (before double checking
what I'd typed --- can't say it'd been any different using sudo, though)].
In your case, I'd venture the opinion that if you're not using NOPASSWD
with sudo, you've pretty much got this concern taken care of, as much as
can be expected.
I also think maybe he meant to use "encourage" instead of "discourage",
but you'd really have to ask him ....
Kevin Kinsey
More information about the freebsd-questions
mailing list