On 03/02/2010 08:40 PM, Ray Kohler wrote:
On Tue, Mar 2, 2010 at 9:24 PM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
On 03/01/2010 05:03 PM, Ray Kohler wrote:
What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step.
How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password?
Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p
Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p
Yes, same answer, you get owned. In fact, even with a password required, the "5 minute grace window" for sudo does you in - some bad guy just keeps trying to sudo, until you do it legitimately, thereby allowing it freely for 5 minutes, and then he's got root.
What I actually do, myself, is to not install sudo at all, and just use su. I also uncomment the pam line that requires wheel membership to su. In order to make su be a little more comfortable, I do this:
alias su='su -m'
sr () { /bin/su -m -c "$*" }
I only recommend doing away with sudo if you're the only person who has root on the machine. For multiple users needing such access, sudo's fine-grained controls are well worth it, and prevent you from having to hand out the root password every time it gets changed.
Again, thank you Ray! Thankfully, all my boxes are one root user (me) boxes. So I guess I'm really trying to save me from myself. I did uncomment the pam require wheel auth to limit any possible su/sudo access to require members of the wheel group. Interesting discussion, I've learned a bit more. -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com