On Tue, Mar 2, 2010 at 9:24 PM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
On 03/01/2010 05:03 PM, Ray Kohler wrote:
What would worry me is things like JavaScript exploits and worms - things that you download and then run as yourself, whether intentionally or not. A password prompt will block malware like that, but with no password, you just go owned in one step.
How would this be any different than 'sudo' configured to allow members of the wheel group to sudo w/o a password?
Same answer - data prevails - set sudo to require a password? I have run servers for more than a decade with sudo/wheel group access enabled w/o a password - no problems. May have just been lucky :p
Ray, all - any different thoughts about sudo w/o a password compared to su? Or same answer, with no password, you just got owned in one step :p
Yes, same answer, you get owned. In fact, even with a password required, the "5 minute grace window" for sudo does you in - some bad guy just keeps trying to sudo, until you do it legitimately, thereby allowing it freely for 5 minutes, and then he's got root. What I actually do, myself, is to not install sudo at all, and just use su. I also uncomment the pam line that requires wheel membership to su. In order to make su be a little more comfortable, I do this: alias su='su -m' sr () { /bin/su -m -c "$*" } I only recommend doing away with sudo if you're the only person who has root on the machine. For multiple users needing such access, sudo's fine-grained controls are well worth it, and prevent you from having to hand out the root password every time it gets changed.