From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QZqMG-0004TB-BF for garchives@archives.gentoo.org; Thu, 23 Jun 2011 20:18:36 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DAEAF1C156; Thu, 23 Jun 2011 20:13:07 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 776691C156 for ; Thu, 23 Jun 2011 20:13:07 +0000 (UTC) Received: by wwf26 with SMTP id 26so2001125wwf.10 for ; Thu, 23 Jun 2011 13:13:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:from:to:cc:subject:date:message-id:user-agent :in-reply-to:references:mime-version:content-transfer-encoding :content-type; bh=1lr5ktJu+FWDtLZLHVUAlU3EPYB5Bo8KBqDLtkv4hEs=; b=S3c/neattC7N0d5vBYtBkIiLyBHb35gWm78aYwJyvAV3g0ZH7I6/LE9wDwcvOHgMDe hYX4A26zVBjGBrdptrHM1F0Galu8phdKcQFyExji25/sdnsuwMEqi53XP6pb8fI52D+H aZuM21u+NJ0EZBFKZqX8BAYvldBNfa7MJCnlo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:subject:date:message-id:user-agent:in-reply-to :references:mime-version:content-transfer-encoding:content-type; b=oqCyObSk+Bwqv+bdeMa8AUoni1bEoM5fK9X07WwYmfiE3GS+gdcnwpRXq7betQ41U/ s9v1STXxrN2/6dlTrB79zzkz6kTkP7ZV5n9sHQ1CJcFFOKpaFshByVfdJpiBMMBTF8KK mt1WZNX3rX1PR7PwHHLF9SdTvqr99EyYbPuZs= Received: by 10.227.174.2 with SMTP id r2mr2327204wbz.87.1308859986421; Thu, 23 Jun 2011 13:13:06 -0700 (PDT) Received: from nazgul.localnet (196-210-183-215.dynamic.isadsl.co.za [196.210.183.215]) by mx.google.com with ESMTPS id et5sm1484276wbb.67.2011.06.23.13.13.04 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 23 Jun 2011 13:13:05 -0700 (PDT) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Cc: Joost Roeleveld Subject: Re: [gentoo-user] kdepim-4.6.0 woes Date: Thu, 23 Jun 2011 22:12:01 +0200 Message-ID: <2159296.UWiCObHR2s@nazgul> User-Agent: KMail/4.6.0 (Linux/2.6.39-ck; KDE/4.6.4; x86_64; ; ) In-Reply-To: <1623610.5SIYC3Egn6@eve> References: <1370928.tS5hQM40xH@nazgul> <4E031B1B.6020507@gmail.com> <1623610.5SIYC3Egn6@eve> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8" X-Archives-Salt: X-Archives-Hash: bf5a5606c89c9a6219f07d324e11bb41 On Thursday 23 June 2011 13:36:11 Joost Roeleveld did opine thusly: > On Thursday 23 June 2011 05:53:15 Dale wrote: > > Joost Roeleveld wrote: > > > On Wednesday 22 June 2011 18:02:39 Alan McKinnon wrote: > > >> But all this was mild compared to what I did yesterday. > > >> You know that notice on the console when you get sudo > > >> wrong? It says the incident "will be reported" > > >> > > >> OK. But to whom? On my shell boxes it gets reported to me. > > >> And > > >> yesterday this is what it said: > > >> > > >> : Jun 21 11:55:25 : : 1 incorrect password > > >> attempt ; TTY=pts/194 ; PWD=/some/path ; USER=root ; > > >> COMMAND=init 6 > > >> > > >> 500 concurrent sessions on that box is routine, it's a > > >> major gateway server. That poor user has not recovered > > >> yet. > > > > > > You mean, he (or she) will eventually recover? > > > > > > Am curious though, why the attempt for a reboot? > > > > I was curious about that too. I don't use sudo, I'm the only > > geek in the chair here, but I don't think I would want to > > reboot just because my typing was off. > > I do use sudo for some scripts as I don't want the script to have > root-access to some of the servers and I definitely don't want to > add suid-bits to random programs. > > At my home, I'm not the only one who knows his/her way around > computers. But neither of us would consider it a good idea to > simply reboot a machine. > > > Given what Alan runs and the amount of people it affects, I'm > > surprised it is set up that way. Question. You changed that > > behavior yet Alan? > > I'm guessing Alan got that because it's not allowed with sudo. If it > was, the password-failure wouldn't have been listed. On a single user box, sudo is often a pain in the butt (witness the amount of whinging that goes on with Ubuntu users), so su is probably much better for that. On a large multi-user corporate shell box, you can't avoid needing fine-grained access control and elevated privileges. A choice between running as user alan or root just doesn't cut it, neither does suid. I need to be able to let the senior Cisco jockeys run a router configurator app as the networkadmin role, or let the tape backup fellows run the backup agent as root, without giving them the root password. There's 4 of us in the team, when one resigns it takes all day to change the root passwords everywhere. With 600 login users it just doesn't work at all. So sudo is absolutely required in this neck of the woods. Of course the machine didn't reboot - that user isn't in the wheel group, so sudo gave him the middle finger. That's not the point - /etc/sudoers is there to save my ass, not the user's. The user got the wrath treatment because he made the biggest mistake of them all: He was not paying attention. :-) -- alan dot mckinnon at gmail dot com