sudo moron
Ben Browning
plug at emptiedout.com
Fri Sep 9 14:25:37 MST 2005
Judd Pickell wrote:
> Maybe it is just me, but wouldn't bypassing the password for sudo be
> defeating the purpose of sudo?
Nope, because sudo lets you limit what can be sudone by sudoers :)
For example, on some of my servers I let a monitoring system account
sudo "qmail-qstat"[1] without a password. That account has no passwd
(auths by shared SSH keys) and does not need other special privileges.
sudo takes a fair amount of intelligence and thoroughness to implement
securely- for example letting someone sudo an editor is always a bad
idea (since you can usually execute shell commands from an editor or at
the least overwrite something setuid like /bin/passwd with a shell
script that calls a shell). If possible, it should be avoided.
> I would probably recommend running gtkpod as root, so that you are
> prompted before it starts then you don't have to enter it on exit...
...at which point some bad code in gtkpod can erase / :-|
In this instance, though, why not just have the system modprobe that
module at startup?
As for eject, if you specify that the pod can be mounted by users
("user" option in fstab entry for /dev/sda2) then it can also be
unmounted and (I think) ejected by users.
~Ben
[1] I did modify that file to include absolute paths to the binaries it
uses to avoid path attacks though
--
---
"Confession only helps if you actually feel bad for your actions.
For you, it would just be a really long boast."
-Tara
http://www.emptiedout.com
More information about the PLUG-discuss
mailing list