[sf-lug] GKsu has long been EOLed

Ken Shaffer kenshaffer80 at gmail.com
Sat Feb 16 15:12:42 PST 2019


On Sat, Feb 16, 2019 at 1:55 PM Jim Stockford <jim.stockford at gmail.com>
wrote:

>
> Using  sudo  for root-privileged actions promotes tracking
> of who did what when, which  su -  does not so easily:
> correct? incorrect?
>
Yes, a bureaucratic function used to assign blame when multiple people have
root priv (assuming no active measures to obfuscate logs).
Maybe not so useful if there is only one person with root. ;^D
Ken

>
>
> On Sat, Feb 16, 2019 at 10:56 AM Rick Moen <rick at linuxmafia.com> wrote:
>
>> Quoting Akkana Peck (akkana at shallowsky.com):
>>
>> > You make an excellent point. I'd just been taking this "allowing
>> > ssh as root is horribly dangerous" gospel without examining it.
>>
>> And, if you think about it, the way Ubuntu and similar distributions use
>> sudo is pretty questionable from a security standpoint, too:  It
>> conditions the user to think of root privilege as just a bureaucratic
>> detail with a command prefix, and not even requiring a separate
>> password.  IMO, it makes root mishaps _more_ likely, not less.
>>
>> There are other ways to use sudo, e.g., making escalating to system
>> privilege require a separate, root-specific password rather than just
>> using the admin user's regular password.  (Aside from that, the BSD
>> practice of restricting even the ability to escalate privilege to
>> members of a 'wheel' group has a lot of merit, and can be implemented on
>> Linux with a little PAM adjustment.)
>>
>> Personally, I prefer the old-school conceptual model, where root is just
>> a dramatically different user reached by doing 'su -', whereupon the
>> shell prompt changes from '$' to '#', to remind you that you are now
>> playing with fire, need to watch your step, and should probably exit
>> that subshell and drop root privilege as soon as possible.  My friend
>> Richard Couture, who owned and ran the famous CoffeeNet Linux-based
>> Internet cafe in South of Market, SF, used to further underline that
>> point by causing all root-user xterm windows to have a red background.
>>
>> Works for Me.[tm]
>>
>>
>> > Oh, yes, I certainly agree with that -- which is why I don't run
>> > any of those defaults.
>>
>> (Reminds me, aka please pardon the slight change of subject:)  It's easy
>> to forget, when you're a software nerd, that, by and large, when you
>> talk to the general public and diligently detail for them how they
>> should customise their software, that they're going to nod and listen
>> and sound receptive -- but then do _absolutely nothing_.
>>
>> This was a lesson computer nerds learned only slowly after the Great
>> Unwashed discovered the Internet, and especially after the Year of
>> Endless September (https://en.wikipedia.org/wiki/Eternal_September),
>> 1993, when AOL opened its Internet gateway.  You can still find all
>> manner of nerd-written, optimistic FAQs where we of the computerist
>> community patiently and concisely explained how to do interleaved
>> quoting, how and why to trim quotations, why HTML and binary attachments
>> have no place on Usenet and mailing lists, and so on.
>>
>> All of that documentation and assiduous help had approximately zero
>> effect, because the experts giving that assistance simply couldn't
>> conceive of _never touching the defaults_ -- yet, that's how Joe and
>> Jane Sixpack do their computing.  Every.  Time.
>>
>> Except, of course, when they get social-engineered into downloading and
>> installing (mailware) 'toolbars' into their Web browsers and such.
>>
>>
>> [apulse:]
>>
>> > THANK YOU! What a wonderful option, which I will definitely try.
>>
>> You're very welcome.  I hope it does the trick.
>>
>>
>> _______________________________________________
>> sf-lug mailing list
>> sf-lug at linuxmafia.com
>> http://linuxmafia.com/mailman/listinfo/sf-lug
>> SF-LUG is at http://www.sf-lug.org/
>>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> SF-LUG is at http://www.sf-lug.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20190216/855f5e8b/attachment.html>


More information about the sf-lug mailing list