LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

OpenWall 3.0

OpenWall 3.0

Posted Jan 6, 2011 17:01 UTC (Thu) by solardiz (guest, #35993)
In reply to: OpenWall 3.0 by Cyberax
Parent article: Linux capabilities support for user namespaces

Having sudo and allowing for the use of su to elevate privileges is downright illogical in most cases (on servers, which is what Openwall GNU/*/Linux is for). Here are some excerpts from past discussions on the topic:

http://www.openwall.com/lists/owl-users/2004/10/20/6
http://lwn.net/Articles/413891/
http://linux.slashdot.org/comments.pl?sid=1915256&cid...

The alternative to the su/sudo approach is direct root logins. And the solution to the accountability problem (with multiple sysadmins) is multiple root-privileged accounts (with a distinct naming convention for clarity).

Occasional exceptions do exist. In our experience, less than 10% of server systems would potentially benefit from sudo, and a safer approach can be used on those anyway: we generally prefer ssh forced commands - that is, command=... in authorized_keys - even if this is to be invoked by a local account on the system itself, such as by a support person who is not a "full" sysadmin.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds