Stephen Major
2005-Jul-21 19:07 UTC
FW: FW: FW: Adding OpenBSD sudo to the FreeBSD base system?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I have grabbed some quotes from various discussions on this topic these are other peoples opinions! ">Regarding su vs. direct login, you should use su, it doesn't give> you much, but it does give you knowledge of who logged in as root > and when (provided that he did not edit the logs :-)Yes, it gives you a huge advantage, assuming you disable direct root logins and only certain accounts are allowed to run su(1). The advantage is that in order to gain root access, you must compromise either a daemon running as root, or an account capable of running su. This decreases your vulnerable profile, as only certain accounts can be used to gain root privileges at all." "> Regarding su vs. direct login, you should use su, it doesn't give> you much, but it does give you knowledge of who logged in as root > and when (provided that he did not edit the logs :-)And if you follow up by disabling direct root logins, you now must first authenticate as a user in order to attempt to guess the root password, and you get those attempts logged. That's a bigger win than logging successful root logins IMO :-) The biggest advantage of sudo, though, is less security-related and more "what did that admin do at 3 am?". Because sudo logs every command, you can see just what was done. Obviously, a malicious user could circumvent this most if not all of the time, but it can be great for seeing what was done with good intentions." "Understand I am NOT arguing against sudo. Properly setup, it's a wonderful tool for giving the power you want to sub-admins and even co-admins get benefit from using it. But that doesn't mean that I'd lock myself out of root entirely as Apple has done. This is an area where they did it wrong, just like having tcsh as the default shell." And beyond that how many holes you going to create by replacing su with sudo just because some admin does not know how to configure it correctly? I too understand the usefulness of the tool but do not replace su with it, many of us like su and how it operates. My servers for instance have 2 accounts in the wheel group, and su to root is perfect for that application. - -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Mike Hunter Sent: Thursday, July 21, 2005 11:55 AM To: Stephen Major Cc: freebsd-security@freebsd.org Subject: Re: FW: FW: Adding OpenBSD sudo to the FreeBSD base system? On Jul 21, "Stephen Major" wrote:> Sudo requires extra configuration that su does not. > > Why should I have to waste my time configuring another app just because a > handful of people want it? I like su and how it works and I guarantee I am > not the only one. You want it replaced replace it your self > cd /usr/ports/security/sudo && make install clean > > That simple! Don't waste our time because you want something to be easier > for youLast week I had to do a little work on a 1980's AT&T Unix box. I'm glad that yours isn't the only opinion that has shaped the evolution of unix, or else I'd probably still be using such OSes all day! Sudo is a great tool, and adding it as part of the base system would be a great way to advance the FreeBSD security and usability baseline. After time, maybe enough people would start using sudo in place of su and it would be time to consider retiring su...a process that has happened thousands of times as a natural part of an evolving OS. Mike _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQt/yRqKXvLS903/FAQq5xggAnjeB7D1DJXIj64lBCxvRQ/uIsDlXm94h ey+3c9DLh1jpfUXcNInPi5wSVC8mJDWnu/msT1dWL9hwJvM7+N7WcEgeAOX0D8A2 ZUeE8jhukSLdSDCa1le9htOYkyTgNpgOpqodMeo5p8o/tIvh4YGybC1yQ4gZh2J3 Uq+JmbbciDYesP/NgITlLZei2INAZinhDyQwDkabWiRkrxIWzfYUlhWZpV48H7ov UiGDMkqMkhqTuMc7H/FuMxMEIKmvEhKYpxI/seY2DFxak2puWwSEU1rVpkzbf5bA s0G9w0tdxw4ohQXukLG0O2pp+/7DJloJmsTI7+/wKp8eyqsWnAxY6g==jao8 -----END PGP SIGNATURE-----
Stephen Major
2005-Jul-21 19:19 UTC
FW: FW: FW: Adding OpenBSD sudo to the FreeBSD base system?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 http://www.freshports.org/security/sudo/ there it is in the ports tree do your research before saying that my claim is baseless And stop before you come back with saying you have to configure it. Because that is exactly my point I do not have to configure anything to use su. And no you could not make sudo "out of the box" ready, for everyone's application. Otherwise the default configs would already be that way when you installed it from ports. I only want 2 users on my system to be in the wheel group and su to full root. But the next guy might want sudo and be able to give limited access to to several "sub-admins" - From my perspective su is more secure than sudo in the fact that an idiot admin cannot screw it up. Unless they set some dumb root password for example: 1234admin - -----Original Message----- From: asym [mailto:bsdlists@rfnj.org] Sent: Thursday, July 21, 2005 12:05 PM To: Stephen Major; freebsd-security@freebsd.org Subject: Re: FW: FW: Adding OpenBSD sudo to the FreeBSD base system? At 14:41 7/21/2005, Stephen Major wrote:>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >Sudo requires extra configuration that su does not. > >Why should I have to waste my time configuring another app just because a >handful of people want it? I like su and how it works and I guarantee I am >not the only one. You want it replaced replace it your self >cd /usr/ports/security/sudo && make install clean > >That simple! Don't waste our time because you want something to be easier >for youNo such implication exists. Your claim is baseless. If sudo WERE included in the base system, the default configuration COULD be setup to mimic the very simplistic behavior of su. Hence, you would have to do absolutely nothing, it would only save work. I agree that if sudo is to be called as su (via symlink) as someone else pointed out, then it should behave the same way, but that's a simple thing to do even if sudo doesn't currently support it. I don't know, I only use su long enough to install my "must haves" like sudo, then never again. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQt/0XqKXvLS903/FAQpxpggArPEwNlSgmtqgTvKiSHGpaL7V+0eQRkZ8 jlkZS2weOp3Q8mUtuvTDoJK19LbGT5KDAo4LnzOC3s9W1dYrGT/G5u+hbE67Mrtk pVymrszhRLiZbjGbAQ1q0nA1tYEykkE/xOJ1aTHLg9phct6tM2MEVVXeVGRbgeTN SawZ6bqzPtbNN5AtbpJcRVUzYgyaE3YNKsRGJXecNu2MKFyk/90C2mOVu1Td3jHf /iZiXT8RTHl72lLszZlDOmtTzgZ2rzFBraWIiiEwucsaGUJNia9C46PDQJPyAZZS L1pnvY0UZdrPYheF4FrM6ETMFsjwlNSz3s/SJ3rysMK0bybUo507Iw==zL/5 -----END PGP SIGNATURE-----
Possibly Parallel Threads
- FW: FW: FW: FW: Adding OpenBSD sudo to the FreeBSD base system?
- FW: FW: Adding OpenBSD sudo to the FreeBSD base system?
- FW: Adding OpenBSD sudo to the FreeBSD base system?
- Wine on OpenBSD
- Yikes! FreeBSD samba-3.0.26a_2, 1 is forbidden: "Remote Code Execution...