科技回声

9 条评论

Even with unlimited, no-password required sudo, it provides a valuable addition: audit logging.every command you run with sudo is logged, along with the user than ran it. On GCP each end user is provisioned a separate login user, and logs can be shipped to Stackdriver Logging where they cannot be modified. This makes access really verifiable.

评论 #11866052 未加载

评论 #11865531 未加载

organman91将近 9 年前

There's one very good reason to use sudo instead of being in a root shell: audit trails. sudo logs its invocations. While you could always see who is becoming root, you'd have to look through root's shell history to see what's happening (which isn't hard to purge - one of the many reasons a remote syslog server may be called for).

评论 #11866054 未加载

dllthomas将近 9 年前

> Is it really simpler for you to type sudo all the time rather than having one terminal tab open with a root shell?Yeesh. Privileged work I do is typically interleaved with commands that do not need to be privileged. Actual security considerations aside, I would rather have the guard rails afforded me by a normal user account for things that don't have some specific reason to be privileged.

AstralStorm将近 9 年前

Technically, the main point for sudo is allowing non-root users access to a limited set of commands. That said, if you needed this, you should be using an actual MAC system.

评论 #11865006 未加载

jessaustin将近 9 年前

The argument-via-AWS probably indicts sudo, but it threatens in addition to indict any sort of command line access to production hosts. Why are you fixing your server with a typed command? Why not just kill it and spin up another?

mh-cx将近 9 年前

On my severs I often use “sudo -s“ in a separate tmux window. I've changed my PS1 to give me a red prompt for root. Over the years I never had a situation where I accidentally did something stupid as root.

评论 #11865646 未加载

评论 #11871275 未加载

apeacox将近 9 年前

The only thing I agreed was: "If you manage a server, use root". sudo is a good way to let unprivileged users to execute a restricted set of commands, it's easy to learn and setup.

ilyash将近 9 年前

===8<== Update 2016-07-09 05:58 UTCJust to be clear: Please note it’s filed under the “Rant” category. The post has some valid points but don’t take it too seriously. Use your best judgment to decide which parts of the above apply to your situation. ===8<===

er0k将近 9 年前

This seems relevant: <a href="http://www.garyshood.com/root/" rel="nofollow">http://www.garyshood.com/root/</a>

9 条评论

advisedwang将近 9 年前

评论 #11866052 未加载

评论 #11865531 未加载

organman91将近 9 年前

评论 #11866054 未加载

dllthomas将近 9 年前

AstralStorm将近 9 年前

Technically, the main point for sudo is allowing non-root users access to a limited set of commands. That said, if you needed this, you should be using an actual MAC system.

评论 #11865006 未加载

jessaustin将近 9 年前

mh-cx将近 9 年前

评论 #11865646 未加载

评论 #11871275 未加载

apeacox将近 9 年前

The only thing I agreed was: "If you manage a server, use root". sudo is a good way to let unprivileged users to execute a restricted set of commands, it's easy to learn and setup.

ilyash将近 9 年前

er0k将近 9 年前

This seems relevant: <a href="http://www.garyshood.com/root/" rel="nofollow">http://www.garyshood.com/root/</a>

The sudo fraud

9 条评论

The sudo fraud

9 条评论