tech-security: Re: [lists@globalintersec.com: [Global InterSec 2002041701] Sudo

Subject: Re: [lists@globalintersec.com: [Global InterSec 2002041701] Sudo
To: NetBSD Security Technical Discussion List <tech-security@NetBSD.ORG>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-security
Date: 04/25/2002 19:11:01

On Thu, 25 Apr 2002, Greg A. Woods wrote:

> [ On Thursday, April 25, 2002 at 17:46:31 (-0700), Jeremy C. Reed wrote: ]
> > What are some safer and easier alternatives for this?
>
> A proper dedicated set-ID program that can't be mis-configured so
> easily would be an almost infinitely better alternative than sudo.

But probably not easier for my example that was clipped out.

> Perhaps it wouldn't even have to be set-ID-root if what it does can be
> delegated to a special user.

I agree.

From on another message on Thu, 25 Apr 2002, Greg A. Woods wrote:

> I think sudo can be used securely for very limited purposes, at least
> that's what people keep telling me.  However I've never had the occasion
> to try to set it up that securely -- I take the other approach and
> divide services into special users and groups and carefully delegate
> privileges to those special IDs.

That is the better idea. Now to spend some time getting the gui cd roaster
wrapper and its required tools to run without any root privileges ...

   Jeremy C. Reed
   http://www.reedmedia.net/