[904] in athena10
Re: [athena10] sudo
daemon@ATHENA.MIT.EDU (Sam Hartman)
Thu Jan 22 16:08:22 2009
From: Sam Hartman <hartmans@MIT.EDU>
To: Evan Broder <broder@mit.edu>
Cc: Robert Basch <rbasch@mit.edu>, Quentin Smith <quentin@mit.edu>,
Mitchell E Berger <mitchb@mit.edu>, Greg Hudson <ghudson@mit.edu>,
athena10@mit.edu
Date: Thu, 22 Jan 2009 16:07:49 -0500
In-Reply-To: <4978DDF6.9000108@mit.edu> (Evan Broder's message of "Thu, 22 Jan
2009 15:58:30 -0500")
Message-ID: <tsl3afbrqvu.fsf@live.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Well, I think I agree with jdreed's concerns about documentation. I
could easily see people like SIPB (without SIPB's clue) assuming that
installing debathena-login-cluster-config would be a reasonable thing
to do on a machine like a SIPB office head. I understand there are
several reasons this is a bad call.
The points I think are important going forward are:
1) sudo may perhaps be useful in clusters. It definitely is not on other machines using Kerberos for authentication that do not have public root passwords.
2) In addition to the other reasons stated there may be concers about
enabling sudo in the cluster environment if it enforces a user
expectation that would be insecure elsewher.
3) The documentation requirement that debathena-cluster (and some of
its dependencies) really should not be installed in other
situations is important.
--Sam
