Liste des Groupes | Revenir à col misc |
On 5/7/24 10:29, Richard Kettlewell wrote:Certainly getting the escalated process out of the calling user’s>
environment, as run0 does, is a real improvement. Being able to
remove setuid/setgid programs from Linux would be a big step forward
in security terms.
I don't agree that removing setuid / setgid binaries from systems is
the panacea some make it out to be.
I also suspect that we may be looking at sudo, et al, slightly
differently.
>
All of the use cases we had at my previous employer were business
justifiable (as in the business benefited from people running the
commands) and had multiple layers of management approval / blessing
for the requestor to be able to run them.
>
So sudo really was a way to conveniently provide the approved commands
without the requestor needing to go through the hassle of checking the
shared password out of a database, logging in as the target user,
running the necessary commands, logging out, and ensuring that the
password was rotated.
>
Sudo was really a way to make it easier for people to access the
privileges that they had already been granted.
>
The more people that need to access a shared account, the more benefit
there is in them not utilizing the shared password for everything.
Les messages affichés proviennent d'usenet.