On Wed, 2009-07-29 at 21:23 -0700, Josh Triplett wrote: > The configuration of > sudo 1.7.2-1 provides equivalent behavior to that of all versions of > the Debian sudo package until version 1.6.8p12-5 from 2007, and nobody > complained about security issues.
Well, actually, various people *did* complain about this, I just got in the habit of ignoring them. > I filed bug 536222 in the hopes of achieving a more useful default sudo > configuration. If people have specific security concerns about allowing > passwordless sudo for group sudo by default, I will happily do whatever > I can to address them, up to and including providing patches for the > Debian sudo package to make it easier for people to achieve the > configurations they want. Please let me know what I can do to help. You make a reasonable argument, but I also find it reasonable that some new to Debian might be very surprised by our historical use of group sudo. The upstream default is to not have sudo work this way, and I had to use an option to configure to enable it. In fact, reviewing the changelog, this is a behavior I inherited from the previous maintainer of sudo a decade or so ago... it's not an option I would likely have chosen to enable myself. So at the end of the day, I'm afraid this is a place where people could just agree to disagree, and in these cases I think I'm more inclined to follow upstream default behavior and lean in the theoretically more secure direction. However, this is influenced by the fact that *I* have never actually used the special behavior of group sudo in Debian myself... so if there are some really compelling use cases I don't know about, I'm certainly willing to listen! Bdale -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
