Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!eu.feeder.erje.net!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.070 X-Spam-Evidence: '*H*': 0.86; '*S*': 0.00; 'root': 0.05; '(especially': 0.07; 'admin,': 0.09; 'admins': 0.09; 'principals': 0.09; 'suffix': 0.09; 'effect.': 0.16; 'from:addr:torriem': 0.16; 'from:name:michael torrie': 0.16; 'liking,': 0.16; 'multiple,': 0.16; 'password,': 0.16; 'principal.': 0.16; 'sudo': 0.16; 'all.': 0.16; 'wrote:': 0.18; 'normally': 0.19; 'admin': 0.22; 'separate': 0.22; 'header:User-Agent:1': 0.23; 'right.': 0.26; 'van': 0.27; 'header:In-Reply-To:1': 0.27; 'idea': 0.28; 'michael': 0.29; 'am,': 0.29; 'easier': 0.31; 'credentials': 0.31; 'disabled': 0.31; 'allows': 0.31; 'another': 0.32; 'everyone': 0.33; 'case,': 0.35; 'but': 0.35; 'passwords': 0.36; 'surely': 0.36; "i'll": 0.36; 'message-id:@gmail.com': 0.38; 'configured': 0.38; 'to:addr :python-list': 0.38; 'fact': 0.38; 'bad': 0.39; 'to:addr:python.org': 0.39; 'changed': 0.39; 'received:org': 0.40; 'easy': 0.60; 'company': 0.60; 'new': 0.61; 'simple': 0.61; 'more': 0.64; 'accounts': 0.64; 'fire': 0.65; 'needing': 0.65; 'charset:windows-1252': 0.65; 'life': 0.66; 'benefit': 0.68; 'importantly,': 0.68; 'safe': 0.72; 'subject:Hello': 0.72; 'account.': 0.80; 'careful': 0.91; 'lazy': 0.91; 'subject:World': 0.91; 'audit': 0.93; 'mr.': 0.98 X-Virus-Scanned: amavisd-new at torriefamily.org Date: Sat, 17 Jan 2015 19:09:16 -0700 From: Michael Torrie User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: python-list@python.org Subject: Re: Hello World References: <54957226$0$12975$c3e8da3$5496439d@news.astraweb.com> <54ba76e0$0$15897$e4fe514c@dreader35.news.xs4all.nl> <54baa4b1$0$15857$e4fe514c@dreader35.news.xs4all.nl> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 27 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1421546969 news.xs4all.nl 2841 [2001:888:2000:d::a6]:55026 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:83961 On 01/17/2015 11:47 AM, Michael Ströder wrote: >> sudo makes administrators careless, lazy and it is not simple at all. > > Admins must have separate accounts with separate credentials for > administrative work and must be careful when using an administrative account. Right. This is not a bad idea in a large organization. In any case, Sudo is more auditable than su in my opinion, but more importantly, it's much easier to revoke. With su, if I fire an admin, I have to change root passwords on every machine, and redistribute the new password to every admin that needs it. With sudo, I might still change the root password, but I'll lock the root password up in a safe box somewhere, and life goes on for everyone else. In fact with root disabled entirely, the whole root password needing to be changed when a person leaves the company is completely eliminated. sudo allows us (especially with the idea about separate admin credentials) to have multiple, controllable, auditable, root passwords in effect. Surely the benefit of this can be seen. Another good alternative to sudo is ksu, which is a kerberized su. This also provides an excellent audit trail, and is easy to revoke. This may be more to Mr. van der Horst's liking, as normally ksu is configured to accept only principals with a /admin suffix (arbitrarily chosen). So admins would have their normal principal, and their admin principal. It's a pretty slick system if you have Kerberos up and running.