Re: [tlug] Root - NO KDE

[Jonathan Q <jq@example.com>]

Josh Glover (jmglov@example.com) wrote:

> I did not claim it was a magic bullet.

You didn't, but James may be unaware of its downside; people
who don't know there's anything wrong with sudo may view it
as a magic bullet.

>   is a better tool than su - for administration of a box so that you do 
> not inadvertantly (or intentionally) have root shells hanging around.

I find su to be far more effective, and I'd be surprised indeed to
find that most sysadmins (including you) don't use it regularly.

> And James is correct about the utility of sudo to provide non-root users 
> the ability to do limited things as root, as necessary.

That's a good place to stop and think about what he's allowing 
those users to do.  To make a (admittedly broad) generalization,
things that require you to be root in order to do them are
usually like that for a reason, not because somebody felt like
adding extra steps to a process.

> There are *no* magic bullets, Jonathon, but I disagree with you about 
> avoiding sudo. Everything has a history of exploits. Should we stop 
> using Apache because of last week's fiasco?

Apples and oranges, Jash.  The things we should try to avoid are ones
that *unncessarily* add levels of risk [1].  Before using sudo, an admin
should ask "OK, do I really want this person to be able to do this
at all? Why or why not?"  If she considers it carefully and the
answer is still "yes", then maybe there's no choice.  My experience
with people who are not administrators is that they should not be
allowed to do *anything* that affects the entire system without having
it sanity-checked by someone who is an admin.  For that matter, it doesn't
hurt for admins themselves sanity-check stuff other admins before doing
things with potentially far-reaching consequences.  Having root doesn't
make us infallible (although it does usually mean we're less fallible than
the unwashed, or we wouldn't have been entrusted with root in the first
place :-)

> Should we stop using 
> Sendmail because of its less than optimal security history? (Yes! ;)

No, we should stop using Sendmail because of it's hideous .cf file ;-)

A question that would strike a much better analogy would be "Should
we stop using IIS because of its horrendous security history?" and
I would answer that with a "Yes."  The reason being that the security
history of IIS is not only (at least) as sordid as the worst security
histories in the world of Unix, it's going on "right now" - an 
important distinction.  Sendmail today is pretty secure.  If you
want to have a current Sendmail box become an open relay or
provide someone with a root exploit, you have to (probably 
deliberately) make it that way.  Is it as secure as Qmail, Exim,
or Postfix?  Maybe, maybe not, but it's not bad.

Better still, let's ask "Should you stop using Outlook/Express because
of their security histories?"  Again, I would say "yes," because those
bad security histories are going on now.  If today's Sendmail was the
same as 1992's Sendmail, I would say "Yeah, *RUN* don't walk to your
nearest FTP site for Exim or Postfix."

> I would argue that instead, we should be trying to find new exploits and 
> fixing them. I have read some of the sudo code, and it has survived the 
> OpenBSOD (sorry, couldn't resist) audit.

Snort.  Yeah, so did Apache :-))

> So that is my opinion. I am curious as to what elicited such a strong 
> statement from you? What do you not like about sudo, specifically?

It gives (partial) root privs to people maybe shouldn't have them,
and it opens potential exploits that would not otherwise be there.
It's the same reason we don't make binaries SUID root unless there's
a pretty good reason why they need to be.

I do not, however, think my statement was as strong as you apparently
took it to be.  No stronger than your statement that sudo is
good.  I think it's bad, and will stand by that.  If people can't
be trusted with root access, make them go through someone who can,
or at the least, somone who can *almost* be trusted with it.  Give
that person sudo access if you must.

Jonathan

[1] Of course, we all (except maybe Chris ;-)  have some skeletons in
    our software closets, but we should at least try to keep extra ones
    from getting in.