[sf-lug] GKsu has long been EOLed

Sat Feb 16 13:47:25 PST 2019

Using  sudo  for root-privileged actions promotes tracking
of who did what when, which  su -  does not so easily:
correct? incorrect?

On Sat, Feb 16, 2019 at 10:56 AM Rick Moen <rick at linuxmafia.com> wrote:

> Quoting Akkana Peck (akkana at shallowsky.com):
>
> > You make an excellent point. I'd just been taking this "allowing
> > ssh as root is horribly dangerous" gospel without examining it.
>
> And, if you think about it, the way Ubuntu and similar distributions use
> sudo is pretty questionable from a security standpoint, too:  It
> conditions the user to think of root privilege as just a bureaucratic
> detail with a command prefix, and not even requiring a separate
> password.  IMO, it makes root mishaps _more_ likely, not less.
>
> There are other ways to use sudo, e.g., making escalating to system
> privilege require a separate, root-specific password rather than just
> using the admin user's regular password.  (Aside from that, the BSD
> practice of restricting even the ability to escalate privilege to
> members of a 'wheel' group has a lot of merit, and can be implemented on
> Linux with a little PAM adjustment.)
>
> Personally, I prefer the old-school conceptual model, where root is just
> a dramatically different user reached by doing 'su -', whereupon the
> shell prompt changes from '$' to '#', to remind you that you are now
> playing with fire, need to watch your step, and should probably exit
> that subshell and drop root privilege as soon as possible.  My friend
> Richard Couture, who owned and ran the famous CoffeeNet Linux-based
> Internet cafe in South of Market, SF, used to further underline that
> point by causing all root-user xterm windows to have a red background.
>
> Works for Me.[tm]
>
>
> > Oh, yes, I certainly agree with that -- which is why I don't run
> > any of those defaults.
>
> (Reminds me, aka please pardon the slight change of subject:)  It's easy
> to forget, when you're a software nerd, that, by and large, when you
> talk to the general public and diligently detail for them how they
> should customise their software, that they're going to nod and listen
> and sound receptive -- but then do _absolutely nothing_.
>
> This was a lesson computer nerds learned only slowly after the Great
> Unwashed discovered the Internet, and especially after the Year of
> Endless September (https://en.wikipedia.org/wiki/Eternal_September),
> 1993, when AOL opened its Internet gateway.  You can still find all
> manner of nerd-written, optimistic FAQs where we of the computerist
> community patiently and concisely explained how to do interleaved
> quoting, how and why to trim quotations, why HTML and binary attachments
> have no place on Usenet and mailing lists, and so on.
>
> All of that documentation and assiduous help had approximately zero
> effect, because the experts giving that assistance simply couldn't
> conceive of _never touching the defaults_ -- yet, that's how Joe and
> Jane Sixpack do their computing.  Every.  Time.
>
> Except, of course, when they get social-engineered into downloading and
> installing (mailware) 'toolbars' into their Web browsers and such.
>
>
> [apulse:]
>
> > THANK YOU! What a wonderful option, which I will definitely try.
>
> You're very welcome.  I hope it does the trick.
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> SF-LUG is at http://www.sf-lug.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20190216/4093728a/attachment-0001.html>