Re: What can't sudo do?

From: Clive Menzies (clive_at_clivemenzies.co.uk)
Date: 03/16/04

  • Next message: Rajesh Menon: "invoke-rc.d: initscript apache, action "start" failed."
    Date: Tue, 16 Mar 2004 01:00:18 +0000
    To: debian-user@lists.debian.org
    
    

    On (15/03/04 15:49), Bill Moseley wrote:
    > On Mon, Mar 15, 2004 at 11:35:42PM +0000, Clive Menzies wrote:
    > > I use sudo for all my machines (servers and workstation) with full root
    > > privileges. You can restrict what sudoers can do if you're concerned
    > > about someone gaining access to your user account (man sudo).
    >
    > So in that case you still need to su root for some tasks.
    A few yes but most of the time sudo suffices

    >
    > > I think the main benefit is that you can't do something dangerous as
    > > root, should you forget to revert to your user account. With sudo you
    > > have to consciously sudo each command.
    >
    > Do you feel like your own account has too many privileges?
    No, but relatively few people have access to our network and I'm the
    only one who knows (albeit in a limited way) Linux/Debian.

    > You see where I'm coming from -- if I give myself enough access via sudo
    > to do normal stuff I'd need root for, then it's somewhat like having root
    > all the time. Well, I guess it's more likely to type rm -rf / than sudo
    > rm -rf / by mistake. I guess the key is to really limit what I can do
    > with sudo.
    That is a fairly difficult mistake to make but I'm sure that there are
    less obvious ways to inadvertantly screw something with root privileges

    > I'm changing my question, though. Let's put it this way -- say you
    > bought a machine and rack space from a provider and they only give you
    > sudo access to commands. Could you effectively manage the machine? And
    > if so would that mean then that your normal account had too much
    > privilege?
    If it is your machine, why would they need to restrict you in that way?
    It would suggest that your sudoer privileges would be restricted in some
    way ... it would depend on what those restrictions are.

    I'm getting out of my (shallow) depth here ;)

    Regards

    Clive

    -- 
    http://www.clivemenzies.co.uk
    strategies for business
    -- 
    To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
    

  • Next message: Rajesh Menon: "invoke-rc.d: initscript apache, action "start" failed."