[sf-lug] GKsu has long been EOLed

Ken Shaffer kenshaffer80 at gmail.com
Sat Feb 16 15:16:09 PST 2019


On Sat, Feb 16, 2019 at 3:12 PM Ken Shaffer <kenshaffer80 at gmail.com> wrote:

>
>
> On Sat, Feb 16, 2019 at 1:55 PM Jim Stockford <jim.stockford at gmail.com>
> wrote:
>
>>
>> Using  sudo  for root-privileged actions promotes tracking
>> of who did what when, which  su -  does not so easily:
>> correct? incorrect?
>>
> Yes, a bureaucratic function used to assign blame when multiple people
> have root priv (assuming no active measures to obfuscate logs).
> Maybe not so useful if there is only one person with root. ;^D
>
Ken
>
But really, sudo does have a fine granularity, and can implement role-based
capabilities pretty easily.  The "root" is basically assign * to *!

>
>>
>> On Sat, Feb 16, 2019 at 10:56 AM Rick Moen <rick at linuxmafia.com> wrote:
>>
>>> Quoting Akkana Peck (akkana at shallowsky.com):
>>>
>>> > You make an excellent point. I'd just been taking this "allowing
>>> > ssh as root is horribly dangerous" gospel without examining it.
>>>
>>> And, if you think about it, the way Ubuntu and similar distributions use
>>> sudo is pretty questionable from a security standpoint, too:  It
>>> conditions the user to think of root privilege as just a bureaucratic
>>> detail with a command prefix, and not even requiring a separate
>>> password.  IMO, it makes root mishaps _more_ likely, not less.
>>>
>>> There are other ways to use sudo, e.g., making escalating to system
>>> privilege require a separate, root-specific password rather than just
>>> using the admin user's regular password.  (Aside from that, the BSD
>>> practice of restricting even the ability to escalate privilege to
>>> members of a 'wheel' group has a lot of merit, and can be implemented on
>>> Linux with a little PAM adjustment.)
>>>
>>> Personally, I prefer the old-school conceptual model, where root is just
>>> a dramatically different user reached by doing 'su -', whereupon the
>>> shell prompt changes from '$' to '#', to remind you that you are now
>>> playing with fire, need to watch your step, and should probably exit
>>> that subshell and drop root privilege as soon as possible.  My friend
>>> Richard Couture, who owned and ran the famous CoffeeNet Linux-based
>>> Internet cafe in South of Market, SF, used to further underline that
>>> point by causing all root-user xterm windows to have a red background.
>>>
>>> Works for Me.[tm]
>>>
>>>
>>> > Oh, yes, I certainly agree with that -- which is why I don't run
>>> > any of those defaults.
>>>
>>> (Reminds me, aka please pardon the slight change of subject:)  It's easy
>>> to forget, when you're a software nerd, that, by and large, when you
>>> talk to the general public and diligently detail for them how they
>>> should customise their software, that they're going to nod and listen
>>> and sound receptive -- but then do _absolutely nothing_.
>>>
>>> This was a lesson computer nerds learned only slowly after the Great
>>> Unwashed discovered the Internet, and especially after the Year of
>>> Endless September (https://en.wikipedia.org/wiki/Eternal_September),
>>> 1993, when AOL opened its Internet gateway.  You can still find all
>>> manner of nerd-written, optimistic FAQs where we of the computerist
>>> community patiently and concisely explained how to do interleaved
>>> quoting, how and why to trim quotations, why HTML and binary attachments
>>> have no place on Usenet and mailing lists, and so on.
>>>
>>> All of that documentation and assiduous help had approximately zero
>>> effect, because the experts giving that assistance simply couldn't
>>> conceive of _never touching the defaults_ -- yet, that's how Joe and
>>> Jane Sixpack do their computing.  Every.  Time.
>>>
>>> Except, of course, when they get social-engineered into downloading and
>>> installing (mailware) 'toolbars' into their Web browsers and such.
>>>
>>>
>>> [apulse:]
>>>
>>> > THANK YOU! What a wonderful option, which I will definitely try.
>>>
>>> You're very welcome.  I hope it does the trick.
>>>
>>>
>>> _______________________________________________
>>> sf-lug mailing list
>>> sf-lug at linuxmafia.com
>>> http://linuxmafia.com/mailman/listinfo/sf-lug
>>> SF-LUG is at http://www.sf-lug.org/
>>>
>> _______________________________________________
>> sf-lug mailing list
>> sf-lug at linuxmafia.com
>> http://linuxmafia.com/mailman/listinfo/sf-lug
>> SF-LUG is at http://www.sf-lug.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20190216/c8085d15/attachment-0001.html>


More information about the sf-lug mailing list