Sudo rant

[blackhole]

High levels of confirmation bias politics in here.

sudo(8) was developed by Todd C. Miller (an OpenBSD developer) and released under a permissive licence.

I think much of the hate for it comes from the classic Ubuntu style implementation as a root/su replacement - e.g. this kind of thing:

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

A previous poster in this thread did link to some literature on the subject (some by Michael W Lucas).

Personally I prefer su(1).

sudo is useful if you want to give someone some very specific permissions without giving them full root privileges. e.g. if you need so allow someone to ssh into your server and restart a specific daemon for example.

 

[rbranco]

Personally I prefer su(1).

sudo is useful if you want to give someone some very specific permissions without giving them full root privileges. e.g. if you need so allow someone to ssh into your server and restart a specific daemon for example.

sudo & su are very different programs with quite different goals.

You can use sudo in scripts while su is for terminal use.

 

[Zare]

su and sudo are interfaces to the same mechanism, setuid, almost as old as Unix itself, with it being written as kernel counterpart of su.

Setuid allows us to run escalated processes as limited user, with the process itself doing the privilege control any way it wants.

On top of this builds su, for interactive shells, and sudo, for commands.

For example, if you wish to run Steam and be secure you run it under a different user. If you want to simply enter in, or click into Steam, you will need to switch users per set rules, and this is where sudo kicks in. Without it there are no seamless ways to perform this.

(everything written for sudo doubles for doas)

 

[astyle]

Yeah, if you want some finer-grained control, then there's no way around getting deep into learning how the privilege elevation mechanism even works, and what options are available. For some use cases, that's a sore necessity, and for others - merely a convenience that does require some fine-tuning. If that convenience is not tuned correctly, though - that can really bite, and we're stuck between deciding if it's better to open the floodgates or shut them completely.

 

[irritum]

Artix, Void, Devuan

perhaps try gentoo? or like you said it yourself avoid “lunix” altogether as much as possible - the problem with that is in past couple of decades it has become practically as ubiquitous as ms winblows once was (coincidentally also about 20 years or so ago) and embraced by corporate integrators virtually everywhere. as a result it is essentially impossible to avoid all interaction with it completely just like it was impossible to avoid all contact with ms winblows in late 90s - early 00s…

 

[Espionage724]

perhaps try gentoo? or like you said it yourself avoid “lunix” altogether as much as possible - the problem with that is in past couple of decades it has become practically as ubiquitous as ms winblows once was (coincidentally also about 20 years or so ago) and embraced by corporate integrators virtually everywhere. as a result it is essentially impossible to avoid all interaction with it completely just like it was impossible to avoid all contact with ms winblows in late 90s - early 00s…

I was trying hard recently to run my webserver stack on all-Windows, but something had a php-posix requirement. I figured out the minimals for WSL and the Linux distro I came from, copied my PHP set-up (bare-metal to WSL), tried dozens of variations of nginx and proxy_pass stuff, and figured out how to have just that website's PHP going through WSL php-fpm while keeping everything else on win32 nginx and php-cgi! It was fun

I did learn an interesting trick though to not run php-fpm master as root like every Linux distro and FreeBSD (iirc) do out-the-box (along with not needing a master process at all!). sudo was annoying enough off-Windows that I did everything unelevated on Windows, so sudo kind-of encouraged a better security habit I appreciated more on Windows

 

[sidetone]

sudo(8) was developed by Todd C. Miller (an OpenBSD developer) and released under a permissive licence.

A previous poster in this thread did link to some literature on the subject (some by Michael W Lucas).

We weren't complaining about any of that. I have one of his ebooks. It was something unrelated to su, sudo, doas, any access control and his books that had no business being brought up.

Personally I prefer su(1).

sudo is useful if you want to give someone some very specific permissions without giving them full root privileges. e.g. if you need so allow someone to ssh into your server and restart a specific daemon for example.

I use doas, but sudo may have been the inspiration and blueprint for doas. Also, su may have been inspiration for sudo and doas.

 

[recluce]

Guys, learn about "visudo". It is up to you if a password is needed with sudo. While I cannot recommend turning off the password requirement in general, it can make a lot of sense to disable the password requirement for certain commands. visudo behaves in a similar fashion on FreeBSD and most Linux distros.

 

[blackhole]

We weren't complaining about any of that. I have one of his ebooks. It was something unrelated to su, sudo, doas, any access control and his books that had no business being brought up.

The original post appears to take the form of a rant against the Ubuntu style implementation of sudo in some Linux distribution. I posted the information about the developer and licence, as many Linux users have assumed sudo to be an Ubuntu / Linux thing in the past, so I don't think it's harmful to get that "on record".

So in my view, the documentation and further reading seems relevant. (Incidentally - the documentation and further reading does seem more on-topic to the thread compared to political opinion pieces interspersed throughout.)