FW: FW: FW: Adding OpenBSD sudo to the FreeBSD base system?

Thu Jul 21 19:07:39 GMT 2005

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I have grabbed some quotes from various discussions on this topic these are
other peoples opinions!

">Regarding su vs. direct login, you should use su, it doesn't give
> you much, but it does give you knowledge of who logged in as root
> and when (provided that he did not edit the logs :-)

Yes, it gives you a huge advantage, assuming you disable direct root 
logins and only certain accounts are allowed to run su(1).  The advantage 
is that in order to gain root access, you must compromise either a 
daemon running as root, or an account capable of running su.  This 
decreases your vulnerable profile, as only certain accounts can be used 
to gain root privileges at all."

"> Regarding su vs. direct login, you should use su, it doesn't give
> you much, but it does give you knowledge of who logged in as root
> and when (provided that he did not edit the logs :-)
And if you follow up by disabling direct root logins, you now must first
authenticate as a user in order to attempt to guess the root password,
and you get those attempts logged. That's a bigger win than logging
successful root logins IMO :-)

The biggest advantage of sudo, though, is less security-related and more
"what did that admin do at 3 am?". Because sudo logs every command, you
can see just what was done. Obviously, a malicious user could circumvent
this most if not all of the time, but it can be great for seeing what
was done with good intentions."

"Understand I am NOT arguing against sudo.  Properly setup, it's
a wonderful tool for giving the power you want to sub-admins and 
even co-admins get benefit from using it.  But that doesn't mean
that I'd lock myself out of root entirely as Apple has done.  This
is an area where they did it wrong, just like having tcsh as the 
default shell."

And beyond that how many holes you going to create by replacing su with sudo
just because some admin does not know how to configure it correctly?

I too understand the usefulness of the tool but do not replace su with it,
many of us like su and how it operates. My servers for instance have 2
accounts in the wheel group, and su to root is perfect for that application.

- -----Original Message-----
From: owner-freebsd-security at freebsd.org
[mailto:owner-freebsd-security at freebsd.org] On Behalf Of Mike Hunter
Sent: Thursday, July 21, 2005 11:55 AM
To: Stephen Major
Cc: freebsd-security at freebsd.org
Subject: Re: FW: FW: Adding OpenBSD sudo to the FreeBSD base system?

On Jul 21, "Stephen Major" wrote:

> Sudo requires extra configuration that su does not.
> 
> Why should I have to waste my time configuring another app just because a
> handful of people want it? I like su and how it works and I guarantee I am
> not the only one. You want it replaced replace it your self
> cd /usr/ports/security/sudo && make install clean
> 
> That simple! Don't waste our time because you want something to be easier
> for you

Last week I had to do a little work on a 1980's AT&T Unix box.  I'm glad
that yours isn't the only opinion that has shaped the evolution of unix,
or else I'd probably still be using such OSes all day!

Sudo is a great tool, and adding it as part of the base system would be
a great way to advance the FreeBSD security and usability baseline.  After
time, maybe enough people would start using sudo in place of su and it
would be time to consider retiring su...a process that has happened
thousands of times as a natural part of an evolving OS.

Mike
_______________________________________________
freebsd-security at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)

iQEVAwUBQt/yRqKXvLS903/FAQq5xggAnjeB7D1DJXIj64lBCxvRQ/uIsDlXm94h
ey+3c9DLh1jpfUXcNInPi5wSVC8mJDWnu/msT1dWL9hwJvM7+N7WcEgeAOX0D8A2
ZUeE8jhukSLdSDCa1le9htOYkyTgNpgOpqodMeo5p8o/tIvh4YGybC1yQ4gZh2J3
Uq+JmbbciDYesP/NgITlLZei2INAZinhDyQwDkabWiRkrxIWzfYUlhWZpV48H7ov
UiGDMkqMkhqTuMc7H/FuMxMEIKmvEhKYpxI/seY2DFxak2puWwSEU1rVpkzbf5bA
s0G9w0tdxw4ohQXukLG0O2pp+/7DJloJmsTI7+/wKp8eyqsWnAxY6g==
=jao8
-----END PGP SIGNATURE-----