Should sudo be used?

Kevin Kinsey kdk at daleco.biz
Thu Apr 5 13:56:38 UTC 2007 

Victor Engmark wrote:
> Hi all,
> 
> I thought it would be a good idea to use sudo on my FreeBSD laptop, but I'm
> having doubts after checking the handbook (it's not mentioned at all) and
> Google (most of the articles were obscure and / or old).

It's not mentioned in the FreeBSD Handbook because it's not part
of the FreeBSD "base system".  It would open up a rather big door that
the FDP doesn't wish to run through if they began writing up instructions
for software that's not in the base.  I don't know if any research exists to
tell us how many FreeBSD machines have sudo installed, though; I'd wager
more than a few.
 
> Are you using sudo? If not, why?

Absolutely.  ---

Pietro Cerutti:
>  Yes I am. I would say anything allowing not to use the root password
> is worth using. 
 
Root passwords can be "visually sniffed" by someone nearby.  Good reason.

Christian Walther:
> Well, sudo makes execution of several commands or script as another
> user quite simple because there's no need to enter the root password.

It's a handy tool for calling your own scripts, or running unprivileged
scripts that need to perform a privileged operation.  I believe Christian
also mentioned shell aliases; one example from our usage is allowing a
non-privileged user to establish a PPP connection; either a CLI alias 
or a GUI button aliased to "sudo ppp -background myisp".  In my GUI
I don't wish to run as root; sudo is used so I can be "me" and still have 
pretty buttons that run Ethereal, format a floppy disk, etc..  And 
"alias | grep -c sudo" in my shell returns 11, although some of those
aren't used frequently.

Amarendra Godbole:
> My primary reason is proper logging in the syslog.

Valid; another primary reason is keeping tabs on other people via the
same mechanism.  Technically, I'm the only "user" on my box, but it's
the gateway and proxy server for our LAN, so I know if an employee is
trying something with sudo; I'm teaching my 13-year old a little 
Unix-fu, and was gratified to get email from sudo last month letting
me know he had attempted to "unban" an online game he's been "grounded"
from by our Squid proxy.

Obviously, there are differences of opinion about sudo; OpenBSD has
it as part of their "base system", but enough "controversy" (if that's
the right word, and it probably isn't) exists that the BSD Certification
group wrote this as a learning objective:

]   Be familiar with standard system administration practices used 
]    to minimize the risks associated with accessing a system. These include:
]
]    * using ssh instead of telnet
]    * denying root logins
]    * (possibly) using the third-party sudo utility instead of su, and
]    * minimizing the use of the wheel group.

As (I think?) someone else mentioned, "tools, not policy" is a UNIX 
axiom.  So, it's up to you to make your own policy.  #include <disclaimer.h>, 
YMMV, and all that.

Kevin Kinsey
-- 
At social gatherings, I would amuse everyone by standing uponst the
coffee table and striking meself repeatedly upon the head with a brick.
		-- H. R. Gumby

More information about the freebsd-questions mailing list