>At 12:14 AM 12/21/98 -0600, Edward Welbon wrote:
>>Rather than su - root, you are safer to use sudo which allows you to
>>execute a command as root. The problem with su is that it lets you leave
of course, dedicated crackers will then just grab your password and have
root access! a co-worker pointed this out to me...you still need to use
ssh *every time* you connect as you otherwise you are in effect allowing
a root compromise, albeit only by a more clued attacker (the script kiddies
will probably miss it)
>>a session open as root whereas sudo can be setup to require a password on
>>each command invocation (you can also do other things such as restrict the
>>programs that can be run). It is all a matter of how paranoid you are.
having tried to run a site where i allowed many people sudo access, it's
impossible to do it securely, unless you handpick the applications folx
are allowed to run...i tried discluding shells, but smart folks made a local
copy by a different name and ran it...
the most useful "Restricted" sudo environment i've come up with is an
entry for a throwaway account (no special access aside from the sudo
abilitiy) which allows it to run sshd--then i can ssh and login+su/sudo
securely. (sshd dies on our old aix boxen quite frequently).
another might be shutdown/reboot only if you trust your users to not
abuse it, or dont have anythign terribly important running on a box.
>I use sudo a lot, and generally do use it like su to start a root session,
>although it's also handy for running individual commands. One problem with
>using it for individual commands is the difficulty of properly handling
>complex command lines involving redirection which involve several commands
>all of which need to be run as root.
agreed, it's a pain to chain commands...one of my most often encountered
woes is that i can't tab-expand inside root-only directories when
constructing sudo command lines...it bites me when i have to do mailqueue
cleanup..
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
