[indiana-discuss] Indiana Wish List

[Tim Bray]

On Jul 10, 2007, at 1:15 AM, John Sonnenschein wrote:

> well, for one, sudo makes every user's password as valuable to an  
> attacker as root's. There's also the problem that a slightly  
> misconfigured sudo can give full root access to a potentially  
> malicious user. for example, allowing access to something which can  
> in some cases spawn a shell essentially makes that user root.
>
> RBAC on the other hand allows you to grant far more well-verified,  
> and infinitely finer grained ( for example, ACL's granting write  
> permissions to individual files ) privileges to a user.

I.e. sudo & RBAC hit different points on the security/convenience/ 
complexity curve.  My experiences in the bad, bad old days with VAX/ 
VMS make me deeply suspicious of "fine-grained" security, but I'm  
willing to believe things have improved.  However, I am far far from  
convinced that the world doesn't have a place for sudo, sensibly  
applied, and I *really* want to minimize the number of cases where we  
have to have dialogues of the form

LinuxHack: Aagh. XXX is missing, and I use it all the time.
SolarisGuru: You shouldn't want XXX, because Solaris has YYY which is  
better.

You know, if YYY is really better, your typical *n*x hack will figure  
this out pretty quick and stop using XXX.

> To be honest, I think doing away with the root account altogether  
> and replacing it with a half dozen administrative accounts would be  
> ideal. Once the initial shock of the new way of doing things was  
> over, it would be an ideal and wonderful change for both home users  
> and enterprise users over the 30 year old paradigm of (user |  
> superuser)

Um, can we decouple the blow-up-*n*x-security-and-rebuild-from-zero  
project from the make-Solaris-more-appealing-to-the-world project?  -Tim