On Friday, 24 December 2010, Robert Ransom <rransom.8774_AT_gmail.com> wrote:
> sudo has the advantage over su that, if you learn how to configure it
> properly, you can allow certain users to run certain commands without
> typing the root password.
Which has certain implications. If you have a bunch of people who need
admin privileges, say, you don't want all of them using the same root
password. And what if you want people to be root only for certain
things?
So, it would be nice to let these people escalate privileges without
su. So what, keep separate setuid binaries? But as pointed out
earlier, a program can distinguish between an actual and an
'effective' uid, and many rely on this.
What would be great is if we could have a way that someone can
escalate their privileges through a single setuid binary with their
own individual password... Of course, we'll need to restrict what each
user can do. We can call this something like su-do?
Setuid is best when a *binary* needs its owner's privileges even when
executed by another user. When a *user* needs those privileges, go for
sudo (or sup, or whatever).
Btw, happy Christmas, all. :)
cls
Received on Fri Dec 24 2010 - 13:23:01 CET
This archive was generated by hypermail 2.2.0 : Fri Dec 24 2010 - 13:24:02 CET