Should sudo be used?
kdk at daleco.biz
Thu Apr 5 15:41:48 UTC 2007
> On Thu, 05 Apr 2007 08:56:28 -0500
> Kevin Kinsey <kdk at daleco.biz> wrote:
>> Victor Engmark wrote:
>>> Hi all,
>>> I thought it would be a good idea to use sudo on my FreeBSD laptop,
>>> but I'm having doubts after checking the handbook (it's not
>>> mentioned at all) and Google (most of the articles were obscure
>>> and / or old).
>> It's not mentioned in the FreeBSD Handbook because it's not part
>> of the FreeBSD "base system".
> Although neither are Gnome, mplayer or growisofs, and they are covered.
Hmm, indeed. I'm guessing that someone took it upon themselves
to write up these packages, and the FDP accepted their contributions,
but I'm not sure.
I've not time ATM to find where the flamewars start on the sudo
question, though. Probably tossing some meat to doc@ I could
get one started, but I'm not sure that's a good use of anyone's
time, exactly. Besides, the standard issue over there is, "write
it yourself" anyway. However, for my own growth I should find out when
(if?) such a discussion was held and try and understand the
the "sudo should be/should not be in base" issue - not that one
exists necessarily on this Project, but it certainly does on Open-
>> It's a handy tool for calling your own scripts, or running
>> unprivileged scripts that need to perform a privileged operation. I
>> believe Christian also mentioned shell aliases; one example from our
>> usage is allowing a non-privileged user to establish a PPP
>> connection; either a CLI alias or a GUI button aliased to "sudo ppp
>> -background myisp". In my GUI I don't wish to run as root; sudo is
>> used so I can be "me" and still have pretty buttons that run
>> Ethereal, format a floppy disk, etc..
> I think you have to be careful about what you are allowing to be done
> from general purpose accounts. If you give these authority to install
> or upgrade software, you might just as well be using Windows XP.
Well, that doesn't exactly follow, logically; file permissions et al
are only one piece of the *BSD puzzle and weren't the primary reason
(and maybe weren't much of a consideration at all) for my choice of
using FreeBSD when possible instead of Windows.
Also, "general purpose" could mean many things; if it means me, I'm
not the least bit worried about it. If it means someone who's similar
to a typical Windows user, I'm not *that* worried about it, either, although
it requires some extra precaution. In my experience, those users don't
want to know how things work and aren't likely to attempt make(1). It's
the people with some amount of curiosity and/or basic "Unix-fu" (like
my aforementioned 13-year old) who are most dangerous when sudo is
installed. And, those people are likely aware of the existence of su
as well, so the only thing barring havoc where they are concerned is
the lack of knowledge of the root passphrase. Which, it seems, is
why finer-grained controls such as those offered by sudo (and better
examples exist: MAC, ACLs, etc.) are necessary anyway.
> BTW ppp can run as any user listed in "allow users" in ppp.conf.
Handy to know; thanks.
Of course, sudo can control PPP, ifconfig, mount, squid, Apache,
rc files, cp/scp/tar/cpio/dump, ... err, anything. ;-) "Tools,
not policy" still stands.
If at first you don't succeed, destroy all evidence that you tried.
More information about the freebsd-questions