On Friday, 24 December 2010, Robert Ransom <[email protected]> wrote: > sudo has the advantage over su that, if you learn how to configure it > properly, you can allow certain users to run certain commands without > typing the root password.
Which has certain implications. If you have a bunch of people who need admin privileges, say, you don't want all of them using the same root password. And what if you want people to be root only for certain things? So, it would be nice to let these people escalate privileges without su. So what, keep separate setuid binaries? But as pointed out earlier, a program can distinguish between an actual and an 'effective' uid, and many rely on this. What would be great is if we could have a way that someone can escalate their privileges through a single setuid binary with their own individual password... Of course, we'll need to restrict what each user can do. We can call this something like su-do? Setuid is best when a *binary* needs its owner's privileges even when executed by another user. When a *user* needs those privileges, go for sudo (or sup, or whatever). Btw, happy Christmas, all. :) cls
