[nylug-talk] sudo vs 'ssh as root'

Michael Hrivnak mhrivnak at triad.rr.com
Thu Jul 12 13:34:02 EDT 2007 

All you need to tell users upon rollout is this: "In case of crisis, 'sudo -s' 
will give you a root shell.  Use it very sparingly."

After a few days of using sudo, it quickly becomes second nature.

Michael


On Thursday 12 July 2007 7:04:31 am Gary Mort wrote:
> Michael Bubb wrote:
> > This is, I realize, a fairly basic security question (which I am
> > cross-posting to SAGE). I have heard people who angrily declaim
> > sudo... but I have never gone through the process of figuring this out
> > for myself.
>
> My experience is that sudo is a royal pain in the but to remember and
> get into the habit of using.
>
> When you sit down, log on to the system, use an editor to pull up a
> config file you need to make changes to, run through them all for about
> 10 minutes, and than try to save it only to discover you don't have
> write privileges, it is very frustrating.
>
> When your in the middle of a full blown crisis which needs to be fixed
> NOW, and some genius decided to move everyone to sudo and disable su,
> you get really embittered about using sudo.
>
> In short, it is a different mindset.  And it is one that in almost every
> case with a shared system you should cram down your users throats.
> Because once your IN the mindset, it really won't take any extra time.
> And you get to log all the things that are done.
>
> The problem mainly is in rolling it out in such a manner as to not have
> an adverse impact on the other admins in case there is a crisis.
>
> My experience is it only takes one crisis for management to decide they
> don't want to use some tool/process because it "caused the problem" -
> and once their in the mindset of looking for something to blame, they
> don't want to hear about the interactions of many different things which
> caused the crisis - there MUST be something to blame, so what are you
> going to do?  Let them blame sudo?  Or have them blame you?  Wheras it
> takes a dozen instances of losing data/config for management to decide
> they want to implement tighter security because their having
> problems(and when you tell them the reason it wasn't set up that way in
> the first place was because they wouldn't allow it, your told "Let's not
> point fingers, we just need to get this resolved for the future".  This
> statement coming right after their pointed question "Why didn't YOU have
> it configured this way to begin with.")
>
> sudo is a large inconvenience to get into the habit of, and then a small
> inconvenience later on.
>
> ___________________________________________________________________________
>__ Hire expert Linux talent by posting jobs here :: http://jobs.nylug.org
> The nylug-talk mailing list is at nylug-talk at nylug.org
> The list archive is at http://nylug.org/pipermail/nylug-talk
> To subscribe or unsubscribe: http://nylug.org/mailman/listinfo/nylug-talk

More information about the nylug-talk mailing list