On 03/03/2010, Ty John <ty-ml@xxxxxxxxxxxxxxx> wrote: > On Tue, 02 Mar 2010 20:24:20 -0600 > "David C. Rankin" <drankinatty@xxxxxxxxxxxxxxxxxx> wrote: > >> On 03/01/2010 05:03 PM, Ray Kohler wrote: >> > What would worry me is things like JavaScript exploits and worms - >> > things that you download and then run as yourself, whether >> > intentionally or not. A password prompt will block malware like >> > that, but with no password, you just go owned in one step. >> >> How would this be any different than 'sudo' configured to allow >> members of the wheel group to sudo w/o a password? >> >> Same answer - data prevails - set sudo to require a password? I have >> run servers for more than a decade with sudo/wheel group access >> enabled w/o a password - no problems. May have just been lucky :p >> >> Ray, all - any different thoughts about sudo w/o a password compared >> to su? Or same answer, with no password, you just got owned in one >> step :p >> > > sudo can be limited to only certain commands also. IMO su should remain > as secure as possible and sudo should be customised for the situation. It's all a moot point. If you want to talk about "things that you run yourself", then su/sudo does nothing to help you in any way. Most of the su/sudo thing derived from *NIX machines being academic remote systems accessed by more than one person, and not a single-user desktop which could be attacked and infected by the user's own epic failures. http://www.geekzone.co.nz/foobar/6229 -- GPG/PGP ID: B42DDCAD
