undefined | Better HN

0 pointseep_social2y ago0 comments

Aye, but then we are (I think) sharing credentials so we can both log in as the user with specific (read: elevated) permissions, and we lose any ability to know who the “real” person-user is on top. So it’s a different problem and we’re starting to talk about threat models and such..

0 comments

cedws2y ago

> we lose any ability to know who the “real” person-user is on top

It's a complex topic probably best suited for discussion elsewhere, but do we even need to discern that anymore? Statistically most Linux systems running now are single-seat (as in, one real user).

A big corp with thousands of servers and employees might want to know this stuff for audit logging, but if employees have root access, they can already fake everything at ring 3. Big corps use security software that do that stuff in ring 0.

e12e2y ago

> if employees have root access

The main usecase of sudo over su (or suid binaries) is limited access (clear/re-run the mail queue - not reconfigure the mail daemon)

j / k navigate · click thread line to collapse