1 |
On Thursday 23 June 2011 13:36:11 Joost Roeleveld did opine thusly: |
2 |
> On Thursday 23 June 2011 05:53:15 Dale wrote: |
3 |
> > Joost Roeleveld wrote: |
4 |
> > > On Wednesday 22 June 2011 18:02:39 Alan McKinnon wrote: |
5 |
> > >> But all this was mild compared to what I did yesterday. |
6 |
> > >> You know that notice on the console when you get sudo |
7 |
> > >> wrong? It says the incident "will be reported" |
8 |
> > >> |
9 |
> > >> OK. But to whom? On my shell boxes it gets reported to me. |
10 |
> > >> And |
11 |
> > >> yesterday this is what it said: |
12 |
> > >> |
13 |
> > >> <host> : Jun 21 11:55:25 :<user> : 1 incorrect password |
14 |
> > >> attempt ; TTY=pts/194 ; PWD=/some/path ; USER=root ; |
15 |
> > >> COMMAND=init 6 |
16 |
> > >> |
17 |
> > >> 500 concurrent sessions on that box is routine, it's a |
18 |
> > >> major gateway server. That poor user has not recovered |
19 |
> > >> yet. |
20 |
> > > |
21 |
> > > You mean, he (or she) will eventually recover? |
22 |
> > > |
23 |
> > > Am curious though, why the attempt for a reboot? |
24 |
> > |
25 |
> > I was curious about that too. I don't use sudo, I'm the only |
26 |
> > geek in the chair here, but I don't think I would want to |
27 |
> > reboot just because my typing was off. |
28 |
> |
29 |
> I do use sudo for some scripts as I don't want the script to have |
30 |
> root-access to some of the servers and I definitely don't want to |
31 |
> add suid-bits to random programs. |
32 |
> |
33 |
> At my home, I'm not the only one who knows his/her way around |
34 |
> computers. But neither of us would consider it a good idea to |
35 |
> simply reboot a machine. |
36 |
> |
37 |
> > Given what Alan runs and the amount of people it affects, I'm |
38 |
> > surprised it is set up that way. Question. You changed that |
39 |
> > behavior yet Alan? |
40 |
> |
41 |
> I'm guessing Alan got that because it's not allowed with sudo. If it |
42 |
> was, the password-failure wouldn't have been listed. |
43 |
|
44 |
On a single user box, sudo is often a pain in the butt (witness the |
45 |
amount of whinging that goes on with Ubuntu users), so su is probably |
46 |
much better for that. |
47 |
|
48 |
On a large multi-user corporate shell box, you can't avoid needing |
49 |
fine-grained access control and elevated privileges. A choice between |
50 |
running as user alan or root just doesn't cut it, neither does suid. I |
51 |
need to be able to let the senior Cisco jockeys run a router |
52 |
configurator app as the networkadmin role, or let the tape backup |
53 |
fellows run the backup agent as root, without giving them the root |
54 |
password. |
55 |
|
56 |
There's 4 of us in the team, when one resigns it takes all day to |
57 |
change the root passwords everywhere. With 600 login users it just |
58 |
doesn't work at all. |
59 |
|
60 |
So sudo is absolutely required in this neck of the woods. |
61 |
|
62 |
Of course the machine didn't reboot - that user isn't in the wheel |
63 |
group, so sudo gave him the middle finger. That's not the point - |
64 |
/etc/sudoers is there to save my ass, not the user's. The user got the |
65 |
wrath treatment because he made the biggest mistake of them all: |
66 |
|
67 |
He was not paying attention. |
68 |
|
69 |
:-) |
70 |
|
71 |
|
72 |
|
73 |
|
74 |
-- |
75 |
alan dot mckinnon at gmail dot com |