Hi,
On Sat, Feb 26, 2005, Joshua Rodman wrote:
>
> Unfortunately, /etc/sudoers is a very poorly designed file with a
> confusing and difficult syntax. Additionally, in order to provide users
> with reasonable flexibility with specific tools you wish to allow them
> to use, you often open the door to complete root access via clever
> character susbstitutions.
Well, that's poor configuration from the administrator. (Please note
you're not supposed to edit /etc/sudoers directly, but you should call
"visudo" instead).
I _personnally_ find the format of the file really good as it allows
to define separately the commands that sudo might run, the users and
user groups which will will run things, and finally the list of
authorizations to run certain commands by certain users / groups with
certain rights. (I don't use the host part.)
> In short, sudo has a config which is hard to vet for correctness, is
> hard to provide useful functionality, and often allows user passwords to
> be root-password equivalent.
I completely disagree, but if you don't like the format of the file and
have suggestions for improvements, I presume you should file a bug on
sudo instead.
> It is a poor tool.
This is a subjective affirmation. I use sudo all the time for my
personal needs as an user because I want to be able to update my
network settings for example, and I don't see another way to restrict
my own rights as user to run this, and only this kind of commands.
> Do not cause gksu to require sudo, since requiring the root password has
> none of these problems.
So if someone hijacks your account, he can run any command by spying
your password? I think your argument doesn't take the whole goal of
sudo into account: the goal is to reduce the rights you offer to user
to the bare minimum. For example, only allow a fixed list of users to
run a fixed list of commands, eventually with their user password
instead of the root password (or no password at all).
If you used the root password, then there's no restriction on the
commands you can run, nor on who can run them with the root password,
nor can you tell with which user the command will be run...
However, sudo can be configured to ask for the root password and allow
running any command, please see the "rootpw" (or "runaspw" for commands
running as root), and see the default privilege specification:
root ALL=(ALL) ALL
Bye,
--
Loïc Minier <[EMAIL PROTECTED]>
"Neutral President: I have no strong feelings one way or the other."
