root vs user. installing firefox

DJ Lucas dj at linuxfromscratch.org
Sat Dec 20 20:57:38 PST 2008


Ken Moffat wrote:
> On Sun, Dec 21, 2008 at 01:23:20PM +1300, Simon Geard wrote:
>> Besides, I don't really like configuring sudo to not need a password,
>> even if I narrow it down to very specific commands. From experience,
>> it's too hard to configure safely - I can obtain root shells on most of
>> the servers at work by exploiting subtle sudo weaknesses, and I don't
>> want to reproduce that on my own machine. I mostly use it as a more
>> convenient syntax of 'su -c', requiring the root password rather than a
>> user password to do anything.
>>
>  I'm still having trouble understanding why people think sudo is
> safer, even where it is configured to require a password (I accept
> that restricting it to specific commands is safer, but probably
> inconvenient in BLFS).  In OSX I have to type my user password the
> first time I sudo, but then ISTR I can continue to sudo for a period
> of time without repeating the password.


And that is how it is configured in BLFS.  The point is, that if you 
have to take the time to type the extra command, it is a simple reminder 
to be careful.  Funny how the mind works, but at least I type a little 
slower after I enter sudo.  IMO, 'sudo make install' should not be 
reagarded as safe, but that is somewhat better then doing everything as 
root.  99.9% of the time, there is no problem, but that 0.1% can be a 
major PITA!

>  But then, people have been known to use empty passphrases with
> subversion - I can see the convenience (e.g. in svn blame), but it
> doesn't mean it's a good idea.

There is just no excuse for level of ignorance by the admin of the 
server.  Be nice, check his backups for him, and then wipe the svn tree 
for him...maybe he'll learn a hard lesson. ;-)  I know, I'd never do it 
either, but you could guarantee that I'd find a way to screw with the 
users that have a blank password, while rasing the admin until it's fixed.

-- DJ Lucas




More information about the blfs-support mailing list