[sudo-users] (correction) How to use sudo without typing sudo before any command

[Russell Van Tassell]

On Fri, Jun 12, 2009 at 05:20:14PM -0700, David Ledger wrote:
> At 08:34 -0400 5/6/09, Justin Alcorn wrote:
> > [sudo su]
>
> There must be lots of people using sudo to run individual commands as 
> root, but in by experience, across many companies, sudo is mainly 
> used in the way Vijay wants. Other uses have been to allow specific 
> users to run something as 'oracle' and, 9 years ago, to mount a CD as 
> root.

To me, that argument is basically as good as saying "no need to make
process or practice improvements, as the same error-prone way still
works okay for me."  That's fine if that's what you really want to
do... but people here are telling you there are better and "more
supported" ways of implementing this sort of thing.

You can ride a bike without a helmet, too... and that's "just fine."
But it doesn't mean that someday that practice isn't going to hurt
or maim you, even through no account of your own.  (Yes, I realize
that's kind of a bizarre analogy, but it's been a long week).

> Using it this way is 
> useful for allowing SysAdmins to work without passing out the root 
> password, which remains in a safe for use in emergencies.

Sure... for some value of "safe."

However, for companies that are truly looking for (insert various
compliance certificates/agencies here), attempting to lock down and
enforce things such as principle of least privilege, traceable levels
of accounting and others... well, sudo is a great tool (meanwhile the
passwords stay locked up in a PGP encrypted "vault" or similar, for
those same "emergencies").
 
And yes, I realize that with a lot of this you may also "have
to trust your employees" -- unfortunately that's not always truly
possible or even a major concern.