undefined | Better HN

0 pointsmort9614d ago0 comments

Yes, that would be one potential solution. But I have certainly never done it and bet >99.999% of the world's use of sudo is through 'sudo'.

Plus you only need one slip-up and you're hosed. Even people who try to almost always use '/usr/bin/sudo' will undoubtedly accidentally let a 'sudo' go through. Maybe they copy/paste a command from somewhere (after verifying that it's safe of course) and just didn't think of the sudo issue then and there.

0 comments

sinsudo14d ago

The real problem is that there should be at least 2 levels for sudo, one for installing software and another that really allows someone to compromise the entire system, both layers should be separate to mitigate risk. At least the most secure layer should allow you to perform secure recovering and diagnosis

DonHopkins14d ago

Unix used to have a user named "bin" just for owning all the binaries and performing installs.

sinsudo14d ago

The old bin user is an idea that could be modernized with a new two level sudo concept, the higher one for recovery and diagnosis, already done in Chromebook and other solutions

1 more reply

lrvick14d ago

You do not need sudo for installing software. Can just install to ~/.local.

Many package managers require sudo, sure, but there is no good reason for them to in a modern linux system, and not all require this.

Even with systemd, you can use systemd --user.

michaelmior14d ago

That depends on what the software is. If you want to run a service that bonds to a privileged port for example, you need sudo.

3 more replies

DaSHacka14d ago

More than just two levels for sudo, the Linux permission model is completely broken for this very reason. (Also see: https://xkcd.com/1200/)

Honestly, the Android approach is significantly better. (and for that, see Micay's various ramblings posted online)

j / k navigate · click thread line to collapse

0 comments

sinsudo14d ago

DonHopkins14d ago

Unix used to have a user named "bin" just for owning all the binaries and performing installs.

sinsudo14d ago

The old bin user is an idea that could be modernized with a new two level sudo concept, the higher one for recovery and diagnosis, already done in Chromebook and other solutions

1 more reply

lrvick14d ago

You do not need sudo for installing software. Can just install to ~/.local.

Many package managers require sudo, sure, but there is no good reason for them to in a modern linux system, and not all require this.

Even with systemd, you can use systemd --user.

michaelmior14d ago

That depends on what the software is. If you want to run a service that bonds to a privileged port for example, you need sudo.

3 more replies

DaSHacka14d ago

More than just two levels for sudo, the Linux permission model is completely broken for this very reason. (Also see: https://xkcd.com/1200/)

Honestly, the Android approach is significantly better. (and for that, see Micay's various ramblings posted online)

j / k navigate · click thread line to collapse