Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'sudo su - is another bad idea' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
sudo su - is another bad idea
Authored by: datasmid on Oct 14, '04 05:03:39PM

Yeah!!! and fix the sudoers file when you can!

MacOSX sudo su - gives root to any admin, sudo was meant to keep users from suing to root and to keep them from editing sudoers. sudo was meant to delegate SOME commands to SOME users from SOME hosts.

PROPOSED FIX
1 Enable the root user in NetInfo
2 Populate the wheel group in NetInfo with the user allowed to become root
3 sudo visudo enter the hashmark like:
#%admin ALL=(ALL) ALL
4 chmod o-rx /usr/bin/su



[ Reply to This | # ]
sudo su - is another bad idea
Authored by: bentucker on Oct 14, '04 08:21:49PM

Yes. Also it's a good habit to explicitely run /bin/su -, rather than just su -. Reduces chance of someone throwing another su into the search path and grabbing your password.



[ Reply to This | # ]
sudo su - is another bad idea
Authored by: EddEdmondson on Oct 15, '04 05:08:19AM
No, that's all back to front, surely?

I'd assume that an 'admin' user is allowed to do root operations, and sudo just helps prevent them doing a lot of them by accident.

If you don't want a user to be root then don't make them an admin. You can tweak the sudoers file to give them any additional permissions beyond normal.

Admittedly Apple's use of 'sudo' here is perhaps a bit non-standard but then the idea of 'admin' users is just about as non-standard.

[ Reply to This | # ]