[896] in athena10
Re: [athena10] sudo
daemon@ATHENA.MIT.EDU (Robert Basch)
Thu Jan 22 15:16:27 2009
In-Reply-To: <Pine.LNX.4.64L.0901221207100.25977@vinegar-pot.mit.edu>
Mime-Version: 1.0 (Apple Message framework v753.1)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <DFDAD4E1-CA4A-4A8C-95E3-836651D2B6D3@mit.edu>
Cc: Mitchell E Berger <mitchb@mit.edu>, Greg Hudson <ghudson@mit.edu>,
Evan Broder <broder@mit.edu>, athena10@mit.edu
Content-Transfer-Encoding: 7bit
From: Robert Basch <rbasch@MIT.EDU>
Date: Thu, 22 Jan 2009 15:15:22 -0500
To: Quentin Smith <quentin@mit.edu>
On Jan 22, 2009, at 12:08 PM, Quentin Smith wrote:
> I think there's a valid security concern with passwordless sudo
> that it removes a barrier before getting root.
I agree; the goal (I think) was to allow users to use a more
familiar and better interface, not to make getting root easier.
OTOH, I think there is also a valid concern about adding another
place where users have to enter their password.
How about prompting users to enter the root password in sudo? I
think the rootpw flag in sudoers will do this.
Bob
