[903] in athena10
Re: [athena10] sudo
daemon@ATHENA.MIT.EDU (Jonathan Reed)
Thu Jan 22 15:59:22 2009
Cc: Evan Broder <broder@mit.edu>, Robert Basch <rbasch@mit.edu>,
Quentin Smith <quentin@mit.edu>, Mitchell E Berger <mitchb@mit.edu>,
Greg Hudson <ghudson@mit.edu>, athena10@mit.edu
Message-Id: <BDE3F163-F3AA-4601-906F-E1A9D45709E9@mit.edu>
From: Jonathan Reed <jdreed@MIT.EDU>
To: Sam Hartman <hartmans@mit.edu>
In-Reply-To: <tslab9jt663.fsf@live.mit.edu>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Thu, 22 Jan 2009 15:58:36 -0500
On Jan 22, 2009, at 3:52 PM, Sam Hartman wrote:
> Well, we want to be very careful not to enable sudo for random users
> on machines with keytabs. I'd prefer not to enable it without rootpw
> on cluster machines, but it would be actively harmful to enable on
> machines with keytabs even if their configurations are otherwise
> similar to cluster machines.
>
> I guess it's not all that harmful if the machine actually has the
> cluster root password.
The scope of this discussion is limited to cluster machines at this
point, which should not have keytabs. Note, however, that we should
probably make sure to document what debathena-cluster does, and we
should actively discourage people from using it for private
workstations unless they understand all the ramifications of doing so.
