Sat, 12 Nov 2005
Sudo Article Promoted Bad Behaviour
I like sudo, it allows you to give people (and automated jobs) more privileges without having to hand out the root password. One of the more important aspects of its use is restricting the commands a user can run. After all, limiting peoples access to rootly powers doesn't help much if they can just shell out to bash or edit the shadow file (or other important files) and locally escalate their privileges.
Unfortunately a Linux.com sudo article shows new users a number of ways of doing this without explaining why it's a really bad idea. I understand that a lot of people just give themselves full root powers using sudo (hell I do on my own machines) but in an article pointed at beginners, especially one that has examples of using an interactive editor with sudo, the concepts need to be explained and some good practices presented. More why with the how please.
The highlight of the article for me was introducing new users to the 'sudoedit' and '-e' options: "but it uses the editor in your $EDITOR environment string". How often do you check the value in $EDITOR? Neither do I. And you're expected to blindly trust, with full root powers, whichever command it points to?