On Wed 29 Jan 2020 at 09:04:43 (+0200), Andrei POPESCU wrote: > On Ma, 28 ian 20, 08:24:29, David Wright wrote: > > > > My view is that more damage is done to home systems by the sysadmins > > than by external malice, so anything that protects the system from > > such damage is a useful resource. I think that selective sudo¹ > > provides one way of reducing damage by separating critical operations > > (done by su'ing to root) from the benign day-to-day maintenance > > done using sudo. > > > > ¹ by selective sudo I mean > > > > $ sudo some-command … > > $ > > Do you mean setting up sudo only for specific commands? That is surely > useful to delegate specific tasks (e.g. 'apt update && apt upgrade') to > an advanced user.
Yes, though I have to be the "advanced" user as there's no other candidate. (Note that there's no password prompt between those two bash prompts.) I add commands to my sudoers files on the basis of how frequently I need them and how benign they are. I gave a few examples a couple of posts ago. > > rather than the locked-up sudo-only scheme that you can select with > > the debian-installer. I'm not familiar with the latter. > > Debian's sudo setup is quite simple: members of group 'sudo' get full > root privileges by providing their *own* password. 'sudo some-command' > works, as well as 'sudo -i' to get a root shell. Root logins (an > consequently also 'su') are disabled. > > In my opinion sudo is best used something like: > > $ sudo apt update > $ apt search some_string > $ apt show some_package > $ sudo apt install some_package > $ man some_program > $ sudo some_program do_stuff_requiring_root > etc. > > Hope this explains, Well, there would be corner cases I'd want to find out about before I'd change my habits. For example, how does this scheme affect # scp … root@somewhere: and $ scp … root@somewhere: Also unanswered from two posts ago: "what happens when you boot into single/recovery mode from grub—what are you presented with?" Lastly, what are the benefits that I would reap from changing over? Cheers, David.
