[Linux-disciples] RewriteRule

Adam Kessel linux-disciples@bostoncoop.net
Fri, 8 Aug 2003 15:03:02 -0400 

--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Aug 08, 2003 at 02:40:51PM -0400, Stephen R Laniel wrote:
> On Thu, Aug 07, 2003 at 11:19:59PM -0400, Adam Kessel wrote:
> > Some day you will regret sudoing frequently.  Mark my words.
> Have you ever been harmed in this way?

Sure. There have been a few times when I've accidentally deleted or
overwritten files due to some overly complicated command line run as
sudo. Far more often are the times when I've been prevented from doing
harm because a given action required root access, which I didn't have,
since I wasn't sudo-ing. The 'permission denied' error was a wakeup call
that I shouldn't have been trying to do what I was doing.

Particularly given how easy it is to wipe out your whole filesystem ('rm
-rf /' or 'dd of=3D/dev/hda') you reserve sudo / su for tasks that are
truly administrative.

Note that sudo has caused security problems in the past. Also, obviously,
any security holes in any program that you run with sudo become very bad.
Imagine a buggy (or trojan) version of vim gets uploaded into unstable,
and you sudo vim, and *poof*.

Of course, you're going to have to 'sudo' sometimes. And your system
doesn't have very many users, so you're not necessarily carrying the
weight of the world on your shoulders.  But it's just bad technique to do
things as root on any system unless it really needs to be done that way.
(I'm sure ken and dpt can back me up here).

One other option would be to create a new group for certain
administrative tasks, put yourself in that group, and give that group
write access to something like httpd.conf.  That way, you're at least
cordoning off the damage you can do, and not having to type sudo all the
time.
--=20
Adam Kessel
http://bostoncoop.net/adam

--n8g4imXOkfNTN/H1
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/M/PldTf3ZklQ6qYRApfQAJ9r2f4s2sD9BifZQG9bc7yjiMUXSACfTEkM
fpIjuZVLo/al07q6t7hISf4=
=KGLh
-----END PGP SIGNATURE-----

--n8g4imXOkfNTN/H1--