[sudo-users] (correction) How to use sudo without typing sudo before any command

David Ledger david.ledger at ivdcs.co.uk
Sat Jun 13 22:37:28 EDT 2009 

At 18:57 -0700 12/6/09, Russell Van Tassell wrote:
>On Fri, Jun 12, 2009 at 05:20:14PM -0700, David Ledger wrote:
>>  At 08:34 -0400 5/6/09, Justin Alcorn wrote:
>>  > [sudo su]
>>
>>  There must be lots of people using sudo to run individual commands as
>>  root, but in by experience, across many companies, sudo is mainly
>>  used in the way Vijay wants. Other uses have been to allow specific
>>  users to run something as 'oracle' and, 9 years ago, to mount a CD as
>>  root.
>
>To me, that argument is basically as good as saying "no need to make
>process or practice improvements, as the same error-prone way still
>works okay for me."  That's fine if that's what you really want to
>do... but people here are telling you there are better and "more
>supported" ways of implementing this sort of thing.
>
>You can ride a bike without a helmet, too... and that's "just fine."
>But it doesn't mean that someday that practice isn't going to hurt
>or maim you, even through no account of your own.  (Yes, I realize
>that's kind of a bizarre analogy, but it's been a long week).
>
>>  Using it this way is
>>  useful for allowing SysAdmins to work without passing out the root
>>  password, which remains in a safe for use in emergencies.
>
>Sure... for some value of "safe."
>
>However, for companies that are truly looking for (insert various
>compliance certificates/agencies here), attempting to lock down and
>enforce things such as principle of least privilege, traceable levels
>of accounting and others... well, sudo is a great tool (meanwhile the
>passwords stay locked up in a PGP encrypted "vault" or similar, for
>those same "emergencies").
>
>And yes, I realize that with a lot of this you may also "have
>to trust your employees" -- unfortunately that's not always truly
>possible or even a major concern.

I haven't made the rules at those places. That's just what they do. 
Some of the companies might surprise you. I'm not suggesting that 
it's good practice, it's just the only way I've seen sudo used - and 
I've been a Unix SysAdmin for over 25 years - almost 20 of them as a 
contractor.

>Sure... for some value of "safe."

A 'safe' is a big metal cupboard with a lock. :-)  from where 
business managers can retrieve an envelope containing the root 
password. It helps them feel they can have some control. Offer it in 
a 'digital vault' and they'd insist on writing the password to the 
vault in their diaries. The only site I've worked at where there was 
a security audit, Unix failed because it wasn't VMS (the only system 
the auditor knew), and his opinion was, luckily, disregarded.

David


-- 
David Ledger - Freelance Unix Sysadmin in the UK.
HP-UX specialist of hpUG technical user group (www.hpug.org.uk)
david.ledger at ivdcs.co.uk
www.ivdcs.co.uk

More information about the sudo-users mailing list