Adding OpenBSD sudo to the FreeBSD base system?

Xin LI delphij at frontfree.net
Thu Jul 21 15:53:14 GMT 2005 

On Thu, Jul 21, 2005 at 10:23:33AM -0500, piechota at argolis.org wrote:
> > FWIW, I don't see any reason to include sudo in the base system. It's
> > something that I install on every computer, but I don't mind building
> > the port or installing it from a package. Unlike some of the other
> > things I usually want on every system (e.g., emacs), it's small and
> > doesn't have any dependencies, so it's not a problem to install it as
> > soon as the system is online. That said, I wouldn't object to having
> > it in the base, either.
> 
> I see two reasons for a "nay" vote: If we put everything a group of people
> find useful in the base system, we're going to end up with soemthing like
> Redhat, where there's tons of software the rarely gets used.  Secondly,
> some 'customers' have a very dim view of sudo (mostly for bad reasons, but
> they ban it anyways).

My reasons for why not to have sudo(1) in our base is that:
  - It is actively maintained and generally speaking it won't be hard to
    build/install from ports collection.
  - It provides another way of utilizing privileges, and needs careful
    configuration.
  - We do not have a killer application to ease maintaince of the
    configuration (yet).

The reasons why it can be in our base is that:
  + It is cool because fine grained access to the privilege is possible,
    and it is the tool that I will want to install on every boxes.
  + It's BSD licensed

So my position would be neutral.  Personally I would prefer the following
scheme:

  o FreeBSD Base System is what we "must have" in a basic Unix system,
    including ls, cat, libc, your kernel, etc.
  o A set of pre-built packages included in disc1 provides what most
    people will want, and is small enough, e.g. sudo, c[vs]up, portaudit,
    freebsd-update, better development environment or scripting languages,
    e.g. python, etc.  These ports are considered special or security
    critical, maybe maintained under the src/ tree (or sort of), causing
    every "make buildworld" with some symbol defined to cover upgrades
    of them, but also permitting portaudit to check vulnerabilities on
    these packages.

Of course this scheme would be complex to implement, so just my 0.02 RMB :-)

Cheers,
-- 
Xin LI <delphij frontfree net>	http://www.delphij.net/
See complete headers for GPG key and other information.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050721/b996a786/attachment.bin

More information about the freebsd-security mailing list