On 05/22/2016 12:38 AM, Paweł Cholewiński wrote:
> Read this
> http://unix.stackexchange.com/questions/35338/su-vs-sudo-s-vs-sudo-i-vs-sudo-bash
>
>
> Paweł
That's a good comparison with sound analysis but looks like it tries to
use sudo just as if it were su. They are very different tools with very
different use-cases.
There are two main advantages of sudo which almost never get mentioned
as too many systems *cough*ubuntu*cough*mint*cough* are set up to allow
'sudo -i' by default: One advantage of sudo is that control can be
granted in a highly granular way. Specific programs with only specific
options can be made available to specific users. Another advantage is
an all but unknown auditing system which shows which account did or
tried what and exactly when. See 'sudoreplay' for that.
As far as default settings go, instead of defaulting to
%sudo ALL=(ALL:ALL) ALL
I'd raise the bar, with a default sudoers something like this:
%sudo ALL=(ALL) /usr/bin/apt-get update, \
/usr/bin/apt-get install [A-Za-z0-9][A-Za-z0-9-]*, \
/usr/bin/apt-get remove [A-Za-z0-9][A-Za-z0-9-]*, \
/usr/bin/apt-get autoremove, /usr/sbin/visudo ""
Maybe in a future version of Devuan, some changes to sudoers can be
considered.
Michael W Lucas has had very useful presentations on sudo:
https://www.bsdcan.org/2014/schedule/attachments/283_2014-04-29%20sudo%20tutorial%20-%20bsdcan%202014.pdf
https://www.youtube.com/watch?v=o0purspHg-o
but his book 'Sudo Mastery' is even more useful. IMHO it's not that
sudo is any harder than most other utilities, it's just that common
misuse has gotten the herd heading off in the wrong direction.
regards,
/Lars