TobiSGD wrote:If you use sudo for its main purpose, giving certain users well defined access rights to certain programs,
If the main purpose was well defined access to certain programs by certain users then sudo would of never been designed with the ALL keywords. It's main purpose is simply to allow users to run system commands without having the root password.
I didn't say there was anything wrong with using sudo on a single user system. Maybe you missed the discussion so far but I have been for sudo if a user wants it. I am even for sudo that doesn't ask for a password. If a user wants the convenience of sudo I would think that at least some of them would want the added convenience of it not bothering them for a password.there is nothing wrong with using sudo, even on a single user system.
What I said was that most single users systems do not need sudo at all. In other words, sudo is not necessary. I could of said that NO single user systems need sudo and it still would of been true.
Now if we are looking at it from a security standpoint then it is never prudent to have packages installed that are not needed. Having packages installed that aren't needed adds attack vectors for no reason. So just installing sudo is a risk, not configuring it to be more secure is a risk, and having it not ask for a password is a risk. A user should be free to pick his own risk level.
Now if a user suggested something risky AND stated it was fine for everyone to do then that would be inaccurate info and should be corrected. But the OP just stated information. In fact he simply posted a perfectly valid configuration. He didn't suggest it was for everyone or even anyone. So to me there was nothing to correct in that regard. I did add that visudo should be used and that it was important to understand the (ALL:ALL) part but I consider those to be additions rather than corrections.
But that doesn't mean you need sudo, it simply means you choose to use sudo. And anyway, why on earth would a user want to type sudo to mount a iso image rather than just su'ing to root and mounting an iso image or using su -c to mount it?For example, you might use the root account for system administration, but may have set up sudo to allow the normal user to loop-mount ISO images.
It isn't without my consent. I consented when I opened my browser and chose to allow it to do what it does. Anything it runs is actually me doing it. It is me running a program whose function is to run scripts, interpret markup, display images, play media, etc.If a third party is able to run code on your system without your consent, how would you call that? I would say that you are not the only user of that system in that case.
Exactly. and the OP did not even offer any advice to correct. Nobody said to do anything. They only offered a way of doing something. Only those looking a way to do this would be doing it anyway. Those people have already decided to take the risk, better to instruct/guide them in that risk than to leave them to figure it out for themselves.Hallvor wrote: As long as bad advice gets shot down within reasonable time and within the same thread, I don' t see any problem.
I would hope that every user decides their own acceptable level of security.confuseling wrote:If this thread proves anything, it's that there isn't universal agreement about best practices and acceptable levels of security.