FW: Adding OpenBSD sudo to the FreeBSD base system?

Stephen Major smajor at gmail.com
Thu Jul 21 17:14:38 GMT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I really do not agree with adding it to the base system.

Just because you guys use sudo does not mean other people do.
In fact many people do not have a use for sudo at all.
Not every one gives out root accounts. You are only adding another utility
In that can possibly be used to escalate privileges.
Every time I secure a system I spend some time removing files that are never
Needed and would not want people to access. So you are saying I would have
to add another one to the list?

Su works just fine for 60% of the people out there! Leave sudo in the ports.

You do not see a bunch of people asking to make apache part of the base
system. Really there is no difference in what you are asking. Just another
program that is not going to get used by everyone.

- -----Original Message-----
From: owner-freebsd-security at freebsd.org
[mailto:owner-freebsd-security at freebsd.org] On Behalf Of Xin LI
Sent: Thursday, July 21, 2005 8:53 AM
To: piechota at argolis.org
Cc: freebsd-security at freebsd.org; Dima Dorfman
Subject: Re: Adding OpenBSD sudo to the FreeBSD base system?

* PGP Signed by an unknown key: 07/21/05 at 08:52:41
On Thu, Jul 21, 2005 at 10:23:33AM -0500, piechota at argolis.org wrote:
> > FWIW, I don't see any reason to include sudo in the base system. It's
> > something that I install on every computer, but I don't mind building
> > the port or installing it from a package. Unlike some of the other
> > things I usually want on every system (e.g., emacs), it's small and
> > doesn't have any dependencies, so it's not a problem to install it as
> > soon as the system is online. That said, I wouldn't object to having
> > it in the base, either.
> 
> I see two reasons for a "nay" vote: If we put everything a group of people
> find useful in the base system, we're going to end up with soemthing like
> Redhat, where there's tons of software the rarely gets used.  Secondly,
> some 'customers' have a very dim view of sudo (mostly for bad reasons, but
> they ban it anyways).

My reasons for why not to have sudo(1) in our base is that:
  - It is actively maintained and generally speaking it won't be hard to
    build/install from ports collection.
  - It provides another way of utilizing privileges, and needs careful
    configuration.
  - We do not have a killer application to ease maintaince of the
    configuration (yet).

The reasons why it can be in our base is that:
  + It is cool because fine grained access to the privilege is possible,
    and it is the tool that I will want to install on every boxes.
  + It's BSD licensed

So my position would be neutral.  Personally I would prefer the following
scheme:

  o FreeBSD Base System is what we "must have" in a basic Unix system,
    including ls, cat, libc, your kernel, etc.
  o A set of pre-built packages included in disc1 provides what most
    people will want, and is small enough, e.g. sudo, c[vs]up, portaudit,
    freebsd-update, better development environment or scripting languages,
    e.g. python, etc.  These ports are considered special or security
    critical, maybe maintained under the src/ tree (or sort of), causing
    every "make buildworld" with some symbol defined to cover upgrades
    of them, but also permitting portaudit to check vulnerabilities on
    these packages.

Of course this scheme would be complex to implement, so just my 0.02 RMB :-)

Cheers,
- -- 
Xin LI <delphij frontfree net>	http://www.delphij.net/
See complete headers for GPG key and other information.

* Unknown Key
* 0x1159888A



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)

iQEVAwUBQt/Xx6KXvLS903/FAQrQ0Qf/UP7nPTtgba6bgHn1VJPDjCkMRet0VgL8
CQV+W7JyXrI2Zz5VB7zL0SqJDMGJ+ipTyPkAKTzQk+/0a1zHvZBq5Wa6f9nQ+XWp
DLwfzUa1vzMsMCWFybfRSht+h+tN88wlJdkQX4X2N/kEQ6ldj0XYfJoPA7P9j5sS
toVWgKDop72uur+3S9FxyeM2Tug0qoMCjypmpIlZkkaub5iWlZaspl8FJIwaozGV
sBT3Z/HfKSsH5lQz1NJB5uqeNi23t4XXqzIpxEndHnXFvBguAHqTej04qcl6KBus
oXFQ4B4EiClULQjverLf2WTePiXB42rnpyuwganE2KQUFO0fncqDGQ==
=rBcb
-----END PGP SIGNATURE-----

More information about the freebsd-security mailing list