On Thursday 23 June 2011 13:36:11 Joost Roeleveld did opine thusly: > On Thursday 23 June 2011 05:53:15 Dale wrote: > > Joost Roeleveld wrote: > > > On Wednesday 22 June 2011 18:02:39 Alan McKinnon wrote: > > >> But all this was mild compared to what I did yesterday. > > >> You know that notice on the console when you get sudo > > >> wrong? It says the incident "will be reported" > > >> > > >> OK. But to whom? On my shell boxes it gets reported to me. > > >> And > > >> yesterday this is what it said: > > >> > > >> <host> : Jun 21 11:55:25 :<user> : 1 incorrect password > > >> attempt ; TTY=pts/194 ; PWD=/some/path ; USER=root ; > > >> COMMAND=init 6 > > >> > > >> 500 concurrent sessions on that box is routine, it's a > > >> major gateway server. That poor user has not recovered > > >> yet. > > > > > > You mean, he (or she) will eventually recover? > > > > > > Am curious though, why the attempt for a reboot? > > > > I was curious about that too. I don't use sudo, I'm the only > > geek in the chair here, but I don't think I would want to > > reboot just because my typing was off. > > I do use sudo for some scripts as I don't want the script to have > root-access to some of the servers and I definitely don't want to > add suid-bits to random programs. > > At my home, I'm not the only one who knows his/her way around > computers. But neither of us would consider it a good idea to > simply reboot a machine. > > > Given what Alan runs and the amount of people it affects, I'm > > surprised it is set up that way. Question. You changed that > > behavior yet Alan? > > I'm guessing Alan got that because it's not allowed with sudo. If it > was, the password-failure wouldn't have been listed.
On a single user box, sudo is often a pain in the butt (witness the amount of whinging that goes on with Ubuntu users), so su is probably much better for that. On a large multi-user corporate shell box, you can't avoid needing fine-grained access control and elevated privileges. A choice between running as user alan or root just doesn't cut it, neither does suid. I need to be able to let the senior Cisco jockeys run a router configurator app as the networkadmin role, or let the tape backup fellows run the backup agent as root, without giving them the root password. There's 4 of us in the team, when one resigns it takes all day to change the root passwords everywhere. With 600 login users it just doesn't work at all. So sudo is absolutely required in this neck of the woods. Of course the machine didn't reboot - that user isn't in the wheel group, so sudo gave him the middle finger. That's not the point - /etc/sudoers is there to save my ass, not the user's. The user got the wrath treatment because he made the biggest mistake of them all: He was not paying attention. :-) -- alan dot mckinnon at gmail dot com
