[nzlug] Dell are sooo pwn3d

[Phillip Hutchings]

> Still don't (fully) understand the reason for sudo etc. :-)

I don't understand the reason for an active root account when you have sudo ;)

It doesn't buy you much the way I assume most of the luggites use it -
it just gives a root shell - but when you have an application or a
user that needs to execute a command as root, but you don't want them
to have root access for whatever reason, you can add them to sudoers
and let them run that one command, especially as sudo can also enforce
the arguments passed to the script..

For example, a control panel for a product at work runs through
Apache. It needs to be able to restart the database server and the
application server, which both run as separate users. We could run it
using suexec, but it's easier, and potentially more secure, to run an
init script specified in sudoers.

There's also a very debatable security benefit. If root is enabled a
remote attacker just needs to guess the password for root. If it's not
enabled then they have to find the username as well as the password. I
don't allow root logins via SSH anyway, so it's not really a good
argument.

-- 
Phillip Hutchings
http://www.sitharus.com/