Re: What can't sudo do?
From: Clive Menzies (clive_at_clivemenzies.co.uk)
Date: Tue, 16 Mar 2004 01:00:18 +0000 To: firstname.lastname@example.org
On (15/03/04 15:49), Bill Moseley wrote:
> On Mon, Mar 15, 2004 at 11:35:42PM +0000, Clive Menzies wrote:
> > I use sudo for all my machines (servers and workstation) with full root
> > privileges. You can restrict what sudoers can do if you're concerned
> > about someone gaining access to your user account (man sudo).
> So in that case you still need to su root for some tasks.
A few yes but most of the time sudo suffices
> > I think the main benefit is that you can't do something dangerous as
> > root, should you forget to revert to your user account. With sudo you
> > have to consciously sudo each command.
> Do you feel like your own account has too many privileges?
No, but relatively few people have access to our network and I'm the
only one who knows (albeit in a limited way) Linux/Debian.
> You see where I'm coming from -- if I give myself enough access via sudo
> to do normal stuff I'd need root for, then it's somewhat like having root
> all the time. Well, I guess it's more likely to type rm -rf / than sudo
> rm -rf / by mistake. I guess the key is to really limit what I can do
> with sudo.
That is a fairly difficult mistake to make but I'm sure that there are
less obvious ways to inadvertantly screw something with root privileges
> I'm changing my question, though. Let's put it this way -- say you
> bought a machine and rack space from a provider and they only give you
> sudo access to commands. Could you effectively manage the machine? And
> if so would that mean then that your normal account had too much
If it is your machine, why would they need to restrict you in that way?
It would suggest that your sudoer privileges would be restricted in some
way ... it would depend on what those restrictions are.
I'm getting out of my (shallow) depth here ;)
-- http://www.clivemenzies.co.uk strategies for business -- To UNSUBSCRIBE, email to email@example.com with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org