Somebody call the Wahhhmbulance. This guy is outmoded. How about expanded security permissions for small groups of people in a larger directory? How about PAM auth plugins? How about escalation preventiontion for those same people, PLUS auditing instead of just seeing “root did something dumb”.
I don’t even get why this gent even bothered to wine and complain about this except that he doesn’t “get it”. This has been a solved issue for over 20 years now, and you don’t see large swathes of folks bitching and moaning about sudo at all.
This is the part that confused me most. At the first mention of web apps, I just thought, okay, if you have a web server you can have it run under a service account that can do what it needs to do. Sure. Kind of beside the point, but sure.
Then this came at the end and and I did a double-take. He’s really suggesting a web app as a substitute for sudo in general? Two questions:
Sudo and doas are 1000x (in loc) more complex than they need to be for destop pc. Yet they are always default installed and some tools even expect them.
edit: didn’t know that doas is that small. I thought it has ~1/10 of sudo’s code but it’s actually ~2k vs. 132k of sudo.
I use rdo and ssu, each with a bit over 100 loc C code. Though they both have their own strong and weak points, i’m sure there are other similiar tools around.
doas is relativly simple (a few hundred LOC), especially compared to sudo. The main benefit of run0 over doas is that it isn’t a SUID binary, they are similary complex.
Actually, i thought about merging rdo and ssu, both a bit over 100 loc in C. Yes, it would be feasible over a weekend. I just have a lot of other stuff i need to do first.
Thought about “merging” because ssu works without asking for password, but it has weak argument parsing (need ‘ssu – stuff’) and works only on cli stuff. “Merging” meaning taking some inspirations from rdo to fix ssu. But ssu is great if used in yay (aur helper) or for nano, mv & co.
I feel like an important thing he forgot to mention though is that it lets you allow multiple users to have root privileges without having to share passwords or SSH keys
Indeed useful to not having to share passwords. I think sudo historically started as a way to let some users in a company for example manage printer server settings without having a root password. (And I believe it was Ubuntu in 2004 which promoted sudo and forced the default user after an installation to use sudo to perform root commands).
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !linux@lemmy.ml
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
Somebody call the Wahhhmbulance. This guy is outmoded. How about expanded security permissions for small groups of people in a larger directory? How about PAM auth plugins? How about escalation preventiontion for those same people, PLUS auditing instead of just seeing “root did something dumb”.
I don’t even get why this gent even bothered to wine and complain about this except that he doesn’t “get it”. This has been a solved issue for over 20 years now, and you don’t see large swathes of folks bitching and moaning about sudo at all.
A web app? Effin really!!? 🤨
This is the part that confused me most. At the first mention of web apps, I just thought, okay, if you have a web server you can have it run under a service account that can do what it needs to do. Sure. Kind of beside the point, but sure.
Then this came at the end and and I did a double-take. He’s really suggesting a web app as a substitute for sudo in general? Two questions:
Sudo and doas are 1000x (in loc) more complex than they need to be for destop pc. Yet they are always default installed and some tools even expect them.
edit: didn’t know that doas is that small. I thought it has ~1/10 of sudo’s code but it’s actually ~2k vs. 132k of sudo.
Now that you’ve mentioned how complex they are, can you share a few alternatives, apart from run0?
I use rdo and ssu, each with a bit over 100 loc C code. Though they both have their own strong and weak points, i’m sure there are other similiar tools around.
doasis relativly simple (a few hundred LOC), especially compared tosudo. The main benefit ofrun0overdoasis that it isn’t a SUID binary, they are similary complex.Actually it’s close to 2k lines of code (1,946 to be exact). But yes, it’s certainly a lot simpler than sudo (132k).
I await your much improved solution then. It sounds so simple, I bet you knock it out over the weekend, right?
Actually, i thought about merging rdo and ssu, both a bit over 100 loc in C. Yes, it would be feasible over a weekend. I just have a lot of other stuff i need to do first.
Found ssu here : https://github.com/illiliti/ssu Can’t find rdo. What is it ?
https://codeberg.org/sw1tchbl4d3/rdo
Thought about “merging” because ssu works without asking for password, but it has weak argument parsing (need ‘ssu – stuff’) and works only on cli stuff. “Merging” meaning taking some inspirations from rdo to fix ssu. But ssu is great if used in yay (aur helper) or for nano, mv & co.
Thanks
I feel like an important thing he forgot to mention though is that it lets you allow multiple users to have root privileges without having to share passwords or SSH keys
Indeed useful to not having to share passwords. I think sudo historically started as a way to let some users in a company for example manage printer server settings without having a root password. (And I believe it was Ubuntu in 2004 which promoted sudo and forced the default user after an installation to use sudo to perform root commands).
Why would they need to share ssh keys? Ssh will happily accept dozens of allowed keys.
Oh true yeah I always forget about that