[nycbug-talk] passwordless sudo: yay or nay?
George Rosamond
george at ceetonetechnology.com
Sat Nov 8 20:03:46 EST 2008
Dan Colish wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On Sat, Nov 8, 2008 at 6:33 PM, N.J. Thomas <thomas at zaph.org
> <mailto:thomas at zaph.org>> wrote:
> I've noticed a trend in the past few years where a lot of Unix users (a
> group in which I clump BSD, Linux, and Mac OS X) are using passwordless
> sudo.
>
> I've always thought this to be a security risk, if a local account with
> sudo access is compromised then the attackers have root access, so all
> my accounts that have blanket sudo access (i.e. "ALL=(ALL) ALL") need to
> enter a password.
>
> What is the current thinking/best practice on how to setup sudo on PCs
> and personal Unix-based desktops? Is passwordless sudo okay in this
> context?
>
> Thomas
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org <mailto:talk at lists.nycbug.org>
> http://lists.nycbug.org/mailman/listinfo/talk
>
> I don't want to speak for everyone, but I believe passwordless sudo is
> always a mistake. If a user needs to run something without tty, for
> example, its better to correct permissions so that user can run the
> process properly.
It really depends on the context, of course.
I also use with passwds, and use that as standard for any multi-user
servers, but sometimes i just do it for that extra "you sure?"
Thomas: we won't tell anyone if you do that on your personal unix
desktop. promise.
g
More information about the talk
mailing list