Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Re: Re: qx//, ssh -t (pseudo-tty) and sudo

by shockme (Chaplain)
on Nov 12, 2003 at 01:03 UTC ( [id://306439]=note: print w/replies, xml ) Need Help??


in reply to Re: qx//, ssh -t (pseudo-tty) and sudo
in thread qx//, ssh -t (pseudo-tty) and sudo

Way OT here, but there is a huge difference between using ssh as root and using ssh as a normal user who has sudo privileges.

While the differences are too numerous to mention, it is important to remember root is all-powerful. Period. No questions asked.

sudo is highly configurable as to which user/group can do what. You can fine-tune which user can do X, which group can do Y, etc.

I'll take 1,000 users with sudo privileges over 1,000 users logging in as root any day. At a minimum, I can look at the logs and see who did what, as opposed to thousands of entries showing root logging in, and then one entry where root rm -rf /.

If things get any worse, I'll have to ask you to stop helping me.

  • Comment on Re: Re: qx//, ssh -t (pseudo-tty) and sudo

Replies are listed 'Best First'.
Re: Re: Re: qx//, ssh -t (pseudo-tty) and sudo
by Roger (Parson) on Nov 12, 2003 at 01:13 UTC
    sudo is highly configurable as to which user/group can do what. You can fine-tune which user can do X, which group can do Y, etc.

    Agreed, but once I convinced the system admin that I had to do sudo make to compile some program. Having obtained the sudo access, I made a simple Makefile that called a script that modified the sudoer file, and gave me total control of the system. :-)

[reply]
[d/l]
      Given that /etc/sudoers is supposed to be read-only (444), this smacks of an insecure installation.

      However, my point was not that sudo is perfection, only that it is far more preferable to allowing root access to ssh.

      If things get any worse, I'll have to ask you to stop helping me.

[reply]
        Yes I agree with you that sudo is better than direct root acess. And on my system I don't allow remote root login anyway.

        Given that /etc/sudoers is supposed to be read-only (444), this smacks of an insecure installation.

        Yes the /etc/sudoers file was read-only, but my script does -
        chmod u+w /etc/sudoers
... bits to modify my sudoers entry ...
chmod u-w /etc/sudoers

        [download]
        When I do a sudo make, *every* command inside the Makefile are automatically run with ROOT priviledges, so there is no secure system when I can do "sudo make". :)

        (I know this is OT, but interesting to know and talk about. So one thing I never do is to give people sudo access on make)

[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://306439]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others meditating upon the Monastery: (3)
As of 2024-04-16 16:22 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found