[nycbug-talk] passwordless sudo: yay or nay?

George Rosamond george at ceetonetechnology.com
Sat Nov 8 20:03:46 EST 2008


Dan Colish wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> On Sat, Nov 8, 2008 at 6:33 PM, N.J. Thomas <thomas at zaph.org 
> <mailto:thomas at zaph.org>> wrote:
> I've noticed a trend in the past few years where a lot of Unix users (a
> group in which I clump BSD, Linux, and Mac OS X) are using passwordless
> sudo.
> 
> I've always thought this to be a security risk, if a local account with
> sudo access is compromised then the attackers have root access, so all
> my accounts that have blanket sudo access (i.e. "ALL=(ALL) ALL") need to
> enter a password.
> 
> What is the current thinking/best practice on how to setup sudo on PCs
> and personal Unix-based desktops? Is passwordless sudo okay in this
> context?
> 
> Thomas
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org <mailto:talk at lists.nycbug.org>
> http://lists.nycbug.org/mailman/listinfo/talk
> 
> I don't want to speak for everyone, but I believe passwordless sudo is
> always a mistake. If a user needs to run something without tty, for
> example, its better to correct permissions so that user can run the
> process properly.

It really depends on the context, of course.

I also use with passwds, and use that as standard for any multi-user 
servers, but sometimes i just do it for that extra "you sure?"

Thomas: we won't tell anyone if you do that on your personal unix 
desktop.  promise.

g



More information about the talk mailing list