Gentoo Archives: gentoo-user

From: Alan McKinnon <alan.mckinnon@×××××.com>
To: gentoo-user@l.g.o
Cc: Joost Roeleveld <joost@××××××××.org>
Subject: Re: [gentoo-user] kdepim-4.6.0 woes
Date: Thu, 23 Jun 2011 20:18:36
Message-Id: 2159296.UWiCObHR2s@nazgul
In Reply to: Re: [gentoo-user] kdepim-4.6.0 woes by Joost Roeleveld
1 On Thursday 23 June 2011 13:36:11 Joost Roeleveld did opine thusly:
2 > On Thursday 23 June 2011 05:53:15 Dale wrote:
3 > > Joost Roeleveld wrote:
4 > > > On Wednesday 22 June 2011 18:02:39 Alan McKinnon wrote:
5 > > >> But all this was mild compared to what I did yesterday.
6 > > >> You know that notice on the console when you get sudo
7 > > >> wrong? It says the incident "will be reported"
8 > > >>
9 > > >> OK. But to whom? On my shell boxes it gets reported to me.
10 > > >> And
11 > > >> yesterday this is what it said:
12 > > >>
13 > > >> <host> : Jun 21 11:55:25 :<user> : 1 incorrect password
14 > > >> attempt ; TTY=pts/194 ; PWD=/some/path ; USER=root ;
15 > > >> COMMAND=init 6
16 > > >>
17 > > >> 500 concurrent sessions on that box is routine, it's a
18 > > >> major gateway server. That poor user has not recovered
19 > > >> yet.
20 > > >
21 > > > You mean, he (or she) will eventually recover?
22 > > >
23 > > > Am curious though, why the attempt for a reboot?
24 > >
25 > > I was curious about that too. I don't use sudo, I'm the only
26 > > geek in the chair here, but I don't think I would want to
27 > > reboot just because my typing was off.
28 >
29 > I do use sudo for some scripts as I don't want the script to have
30 > root-access to some of the servers and I definitely don't want to
31 > add suid-bits to random programs.
32 >
33 > At my home, I'm not the only one who knows his/her way around
34 > computers. But neither of us would consider it a good idea to
35 > simply reboot a machine.
36 >
37 > > Given what Alan runs and the amount of people it affects, I'm
38 > > surprised it is set up that way. Question. You changed that
39 > > behavior yet Alan?
40 >
41 > I'm guessing Alan got that because it's not allowed with sudo. If it
42 > was, the password-failure wouldn't have been listed.
43
44 On a single user box, sudo is often a pain in the butt (witness the
45 amount of whinging that goes on with Ubuntu users), so su is probably
46 much better for that.
47
48 On a large multi-user corporate shell box, you can't avoid needing
49 fine-grained access control and elevated privileges. A choice between
50 running as user alan or root just doesn't cut it, neither does suid. I
51 need to be able to let the senior Cisco jockeys run a router
52 configurator app as the networkadmin role, or let the tape backup
53 fellows run the backup agent as root, without giving them the root
54 password.
55
56 There's 4 of us in the team, when one resigns it takes all day to
57 change the root passwords everywhere. With 600 login users it just
58 doesn't work at all.
59
60 So sudo is absolutely required in this neck of the woods.
61
62 Of course the machine didn't reboot - that user isn't in the wheel
63 group, so sudo gave him the middle finger. That's not the point -
64 /etc/sudoers is there to save my ass, not the user's. The user got the
65 wrath treatment because he made the biggest mistake of them all:
66
67 He was not paying attention.
68
69 :-)
70
71
72
73
74 --
75 alan dot mckinnon at gmail dot com