[ale] Sudo

Jim Popovitch jimpop at yahoo.com
Thu May 19 14:59:55 EDT 2005


On Thu, 2005-05-19 at 12:07 -0400, Jason Day wrote:
> On Wed, May 18, 2005 at 05:21:40PM -0400, Jim Popovitch wrote:
> > Several times in the (still going)
> > setuid/viral/malware/root/non-root/etc discussion people have mentioned
> > using sudo.  One of the things I've always disliked about sudo is the
> > need for me to have to preface some commands I want to run as su vs
> > which I don't.  What I mean is as a user if I want to run "ifconfig eth
> > mtu 1149", I need to acually run "sudo ifconfig eth0 mtu 1149", but if I
> > want to just see what the MTU is for interface eth0 I don't need sudo.
> > What I think would be neat is for bash (or other shells) to remember
> > sudo commands that users run and to automatically invoke sudo the next
> > time I run the command without it.  Knowing when to use sudo is not the
> > issue here, having sudo know when it is needed is.  
> > 
> > A couple of questions:
> > 
> > 1) Why would this be good/bad?
> 
> Personally, I think this is a bad idea because it removes the extra step
> needed to perform a priviliged action.  If you've configured sudo so
> that you don't need to enter a password, then having the shell
> automatically convert "commant" to "sudo command" is dangerous.  It's
> equivalent to always running as root, which we all know I think is a bad
> idea :)

;-) True, but some commands, even though they require root, aren't
dangerous for users to run on a desktop/laptop.  In those cases why
bother forcing them to use sudo... just do it automagically for them and
let sudo prompt them for a passwd according to settings in sudoers.  Let
sudo be the gatekeeper, not the bash command line.

> > 2) Is this something bash completion could accomplish?
> 
> I don't think so.  But it might be possible to write a wrapper script
> that takes user input, passes it to bash, then passes the bash output
> back to the user.  For each user input command, if it starts with
> 'sudo', store the command in a hashtable.  If it doesn't start with
> sudo, then see if the command is in the hashtable.  If it is, prepend
> 'sudo ' before passing it to bash.  I don't know how well that would
> work with pipes though.

Excellent idea.  A bash wrapper. perhaps I'll call it "subash".  ;-)  

-Jim P.









More information about the Ale mailing list