Yea, I don't think you understand what you're saying. Security is not a binary thing - it's layered. And your user is not, in fact, authorised to do pretty much anything outside your homedir.
Linuxsucks
Rules:
- FOSS advocates and Linux evangelists aren't welcome. -We ask that you block us.
- Moderation is heavy handed. Try to stay on topic.
- No Complaining Mute the sub if users, content, or rules bother you
If the user is in the sudoers file, they are authorized to do the things configured there.
Which is obvious when they can do the thing after entering their own password.
But since they already entered the same password at login, and are still logged in, there's no point in entering the same password one more time.
If that's your idea for security, you might as well pop up another password prompt every half hour to check that the same person is still on the PC.
The argument "a password prompt tells the user to stop and think" is wrong. That's not what a password prompt's purpose is.
For that, you can pop up a confirmation dialog, or even a text box where they have to type in "yes".
Using a password for anything other than proving the correct user is at the keyboard makes it less secure.
This is why Active Directory and Kerberos are so great. You log in once in the morning, and that's it.
And since you only have to type in your password once before work, it can be really secure and long.
Also, the chance of someone standing behind you while you type it is reduced.
If the user is in the sudoers file, they are authorized to do the things configured there.
Correct. But the thing configured there is "to act on behalf of root for these items", not the "things" themselves.
Which is obvious when they can do the thing after entering their own password.
$ touch file1
$ sudo touch file2
$ ls -l file{1,2}
-rw------- 1 illecors illecors 0 Nov 12 14:56 file1
-rw------- 1 root root 0 Nov 12 14:56 file2
It is not you executing stuff with sudo
. file1
is owned by you, but file2
is owned by root
.
But since they already entered the same password at login, and are still logged in, there’s no point in entering the same password one more time.
There is a point. See above.
The argument “a password prompt tells the user to stop and think” is wrong.
That's not an argument I've made, nor make.
For that, you can pop up a confirmation dialog, or even a text box where they have to type in “yes”.
Both of which are much easier to defeat than a pop up confirmation dialog with a text box for your password.
Using a password for anything other than proving the correct user is at the keyboard makes it less secure.
No it doesn't - you seem to be making things up to justify your lack of understanding. Authentication is not the same as authorisation, nor should it be treated the same way.
When you type in your password on a login prompt - you authenticate who you are.
When you type in your password on a sudo prompt - you authorise a command to be carried out on behalf of root
.
This is why Active Directory and Kerberos are so great. You log in once in the morning, and that’s it.
I'm not sure you realise how little you do on a windows machine. Good luck installing system software or altering system files on an AD managed Windows machine without authorisation. Which is what your meme(?) is implying.
And since you only have to type in your password once before work, it can be really secure and long.
There is no justification here, just a manufactured statement.
Also, the chance of someone standing behind you while you type it is reduced.
See above.
You are not the only one able to execute code under your user's name. A normally installed program, running under your directive as user, can run other commands under your authority as user.
But it can't run as root. You can run things as root via sudo, when you prove your identity as yourself - with the password - rather than another program operating in your name.
Passwordless sudo I think could be exploited e.g. by writing a script and passing it to bash.
(Or, as another reply pointed out, it provides a barrier against moderate malice of a passer-by or a 'friend' temporarily using your computer.)
Should be called medo
vim ~/.bashrc
alias medo=sudo
:wq
You want su
. sudo
is something else. It doesn't do things the way you want them to be done. The way it does things is correct for its use cases. You don't want to see that. So just fucking use su
and leave us alone.