Nine traits of the veteran Unix admin | Unix - InfoWorld

Christopher Browne cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Mon Feb 14 23:16:43 UTC 2011 

On Mon, Feb 14, 2011 at 5:31 PM, Lennart Sorensen
<lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org> wrote:
> On Mon, Feb 14, 2011 at 02:09:14PM -0800, E K wrote:
>> That is funny but true! Particularly, the last one.
>>
>> Well, I use 'sudo bash' which is effectively is equivalent to su. Too lazy to assign a password to root:-) Also, a system without root password is a little more secure than one with root password.
>
> And how do you deal with 'you need to run fsck manually, please enter
> root password to continue'?
>
> sudo only is a nice theory, but no more than that.

Sudo is fine if you have an environment that is sufficiently stable
that all required actions are well documented.

Unfortunately, that's not "true yet" at install time, and all bets are
off if any kind of major disaster should strike.

In the DBMS world, it is often desired to apply analogous kinds of
policies to accesses by DB administrative users, but that doesn't
always work.

The fun bit of authentication policy that gets the "strong password
freaks" really freaked out is to set up host based authentication such
that for connections coming from certain places, there is no password
required.

What the "need strong password" folk tend to fail to grasp is that
there are administrative processes that need to get in, and if they
are required to use passwords, then you're stuck blathering copies of
passwords onto all the servers, making them much more vulnerable to
capture and abuse.  They imagine that strong passwords are giving them
stronger security, when reality is that they have to be passed around
so much that the security is an illusion.

Slavish overuse of sudo is much the same.  It shoves the problem to a
different spot, namely in:
 a) Managing the sudo configuration, and
 b) Granting users access to sudo.

And if they need a zillion sudo rules, the likelihood of things
breaking because you did it wrong goes way up.
-- 
http://linuxfinances.info/info/linuxdistributions.html
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list