On 03/03/2010, Ty John <ty-ml@eye-of-odin.com> wrote:
On Tue, 02 Mar 2010 20:24:20 -0600 "David C. Rankin" <drankinatty@suddenlinkmail.com> wrote:
On 03/01/2010 05:03 PM, Ray Kohler wrote:
What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step.
How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password?
Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p
Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p
sudo can be limited to only certain commands also. IMO su should remain as secure as possible and sudo should be customised for the situation.
It's all a moot point. If you want to talk about "things that you run yourself", then su/sudo does nothing to help you in any way. Most of the su/sudo thing derived from *NIX machines being academic remote systems accessed by more than one person, and not a single-user desktop which could be attacked and infected by the user's own epic failures. http://www.geekzone.co.nz/foobar/6229 -- GPG/PGP ID: B42DDCAD