From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] [OT] Binary install distro
Date: Fri, 11 Nov 2011 23:38:43 +0200 [thread overview]
Message-ID: <20111111233843.0323aa15@rohan.example.com> (raw)
In-Reply-To: <CABqumk-sBBrswOVRfF3YdrdHtzWM-DQj0AL1dSko1-PuZFdHLQ@mail.gmail.com>
On Fri, 11 Nov 2011 21:10:27 +0100
Lorenzo Bandieri <lorenzo.bandieri@gmail.com> wrote:
> > Then you must be using a single-user machine. Like your own laptop
> > or desktop.
> >
> > sudo is absolutely necessary on any multi-user machine unless you
> > like security holes.
> >
> > Instead of bashing sudo, it's better to find out what problem it is
> > designed to solve, then determine if you have that problem. It does
> > have a point, and a very valuable one too, you just seem to not have
> > seen it yet.
>
> Yes, Alan, you're right, I'm on a single-user machine. I apologize, I
> should have made it clear.
No worries :-)
> Indeed, I can see that in a multi-users
> machine sudo is useful. I just don't agree on the Ubuntu policy of
> using sudo instead of root by default, assuming that it provides more
> security. I don't want to start a flame war about sudo vs su, sorry if
> I sounded rough!
Well, it's worth discussing, as sudo on Ubuntu *does* improve security,
but you have to think a little about how first.
It's not IT security it provides, it's human security. As I mentioned
to Dale, it encourages people to think a little more about what they
are doing. It's not perfect, but nothing is.
Unix has always been very strong on initial authentication and rather
weak on authorization thereafter. If you can prove you know the root
password, you get the keys to the kingdom until the end of time
(defined as logout) - it's an all or nothing approach which obviously
cannot possibly fit RealLife.
sudo may or may not implement an authorization scheme that's suitable
for use, but the need for it is undeniable. It's easy to get
authorization completely wrong and go over the top, take SE-Linux. It's
very design and complexity encourages sysadmins to find ways to switch
it off! And they mostly do - with a single boot parameter in grub....
--
Alan McKinnnon
alan.mckinnon@gmail.com
next prev parent reply other threads:[~2011-11-11 21:40 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-10 18:25 [gentoo-user] [OT] Binary install distro Dale
2011-11-10 18:38 ` Alan McKinnon
2011-11-10 19:03 ` Dale
2011-11-11 7:37 ` J. Roeleveld
2011-11-11 19:20 ` Mick
2011-11-11 20:14 ` Michael Mol
2011-11-11 20:25 ` Dale
2011-11-11 21:09 ` Florian Philipp
2011-11-11 23:28 ` Dale
2011-11-11 23:51 ` Florian Philipp
2011-11-12 0:16 ` Dale
2011-11-15 19:15 ` [gentoo-user] " Steven J Long
2011-11-15 20:19 ` Dale
2011-11-15 22:19 ` Neil Bothwick
2011-11-16 1:08 ` Dale
2011-11-16 0:54 ` Pandu Poluan
2011-11-16 1:04 ` Dale
2011-11-16 1:08 ` Pandu Poluan
2011-11-16 1:23 ` Dale
2011-11-16 3:45 ` Érico Porto
2011-11-16 5:03 ` Dale
2011-11-16 10:03 ` Neil Bothwick
2011-11-16 10:19 ` Dale
2011-11-16 10:57 ` Lars Madson
2011-11-11 21:47 ` [gentoo-user] " Alan McKinnon
2011-11-12 0:42 ` Neil Bothwick
2011-11-12 9:36 ` Mick
2011-11-12 20:44 ` Alan McKinnon
2011-11-12 20:54 ` Neil Bothwick
2011-11-10 19:40 ` Florian Philipp
2011-11-10 20:04 ` Lorenzo Bandieri
2011-11-10 20:17 ` Michael Schreckenbauer
2011-11-11 14:54 ` Dale
2011-11-11 15:17 ` Mark Knecht
2011-11-11 15:41 ` Dale
2011-11-11 15:53 ` Mark Knecht
2011-11-11 16:49 ` Lorenzo Bandieri
2011-11-11 17:00 ` Dale
2011-11-11 19:18 ` Alan McKinnon
2011-11-11 20:10 ` Lorenzo Bandieri
2011-11-11 21:38 ` Alan McKinnon [this message]
2011-11-12 0:30 ` Neil Bothwick
2011-11-12 2:54 ` Dale
2011-11-11 20:19 ` Dale
2011-11-11 21:27 ` Alan McKinnon
2011-11-11 23:36 ` Dale
2011-11-12 0:04 ` Florian Philipp
2011-11-13 3:28 ` Dale
2011-11-12 0:27 ` Neil Bothwick
2011-11-12 0:45 ` Florian Philipp
2011-11-12 1:02 ` Neil Bothwick
2011-11-12 8:11 ` Florian Philipp
2011-11-12 2:57 ` Dale
2011-11-11 22:02 ` [gentoo-user] " Grant Edwards
2011-11-11 23:24 ` Mick
2011-11-11 23:40 ` Dale
2011-11-12 0:40 ` Neil Bothwick
2011-11-12 3:05 ` Dale
2011-11-12 3:24 ` James Wall
2011-11-12 10:35 ` Neil Bothwick
2011-11-10 22:13 ` [gentoo-user] " Paul Hartman
2011-11-10 22:15 ` Paul Hartman
2011-11-10 22:29 ` Pandu Poluan
2011-11-11 9:54 ` James Wall
2011-11-11 11:41 ` [gentoo-user] " masterprometheus
2011-11-13 0:58 ` [gentoo-user] " Dale
2011-11-13 2:22 ` Érico Porto
2011-11-13 2:30 ` Dale
2011-11-13 10:45 ` Lorenzo Bandieri
2011-11-13 16:50 ` Dale
2011-11-13 18:26 ` Mick
2011-11-13 19:28 ` Florian Philipp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111111233843.0323aa15@rohan.example.com \
--to=alan.mckinnon@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox