| |
 |
|
|
Computer Groups Forum Index » Macintosh Systems » Apple recommending anti-virus software for Macs?
Page 2 of 5 Goto page Previous 1, 2, 3, 4, 5 Next
|
| Author |
Message |
| Troubled Tony |
 Posted: Thu Dec 04, 2008 8:58 am |
|
|
|
Guest
|
Barry Margolin <barmar@alum.mit.edu> wrote:
Quote:
Since you don't need to be root...
Until you do.
Try running fsck or mknod without it, for example.
Or a 'umount -f'. There are plenty of days where
I've needed to be root.
Sometimes Finder won't do something because of
permissions, and fails to ask for the admin passwd
or fails even when it does ask and you give it.
Sometimes I want to kill a system process, and I'm
certainly not going to bother with ActivityMonitor.
When compiling a package and installing it system-wide,
that needs root. Apache default install writes this file:
/System/Library/LaunchDaemons/org.apache.httpd.plist
You have to become root start/restart apache, if it needed it.
/tmp 62e apachectl start
launchctl: CFURLWriteDataAndPropertiesToResource(/System/Library/LaunchDaemons/org.apache.httpd.plist) failed: -10
/tmp 63e su
Password:
sh-3.2# apachectl start
sh-3.2# |
|
|
| Back to top |
|
| Troubled Tony |
| Posted: Thu Dec 04, 2008 9:09 am |
|
|
|
Guest
|
Warren Oates <warren.oates@gmail.com> wrote:
Quote:
If you only use the GUI, you probably won't do much damage. If you use
the command line, it's too easy to type rm -r * in the wrong directory
to hose your system.
An experienced admin aliases 'rm' to 'rm -i' in both his user
and root accounts.
To be ultra-safe with the 'rm' command, make it an 'ls' command
first, check that's the correct target, then do an up-arrow to
get the commandline again, type a Ctl/A to get to the beginning
of the line, Ctl/D's to delete the 'ls', then type '\rm -rf' to
execute the 'rm' and bypass the interactive questioning of 'rm -i'. |
|
|
| Back to top |
|
| Tom Harrington |
| Posted: Thu Dec 04, 2008 9:10 am |
|
|
|
Guest
|
In article <x5ydnfpF893nyKrUnZ2dnUVZ_gSdnZ2d@giganews.com>,
Troubled Tony <nonexistent@hotmail.com> wrote:
Quote: Barry Margolin <barmar@alum.mit.edu> wrote:
Since you don't need to be root...
Until you do.
Try running fsck or mknod without it, for example.
Or a 'umount -f'. There are plenty of days where
I've needed to be root.
This is why the "sudo" command was invented.
--
Tom "Tom" Harrington
Independent Mac OS X developer since 2002
http://www.atomicbird.com/ |
|
|
| Back to top |
|
| Troubled Tony |
| Posted: Thu Dec 04, 2008 9:16 am |
|
|
|
Guest
|
Tom Harrington <tph@pcisys.no.spam.dammit.net> wrote:
Quote: Troubled Tony <nonexistent@hotmail.com> wrote:
Barry Margolin <barmar@alum.mit.edu> wrote:
Since you don't need to be root...
Until you do.
Try running fsck or mknod without it, for example.
Or a 'umount -f'. There are plenty of days where
I've needed to be root.
This is why the "sudo" command was invented.
That's running as root, dude. |
|
|
| Back to top |
|
| Barry Margolin |
| Posted: Thu Dec 04, 2008 10:14 am |
|
|
|
Guest
|
In article <u4ednUBmN_4bxKrUnZ2dnUVZ_tHinZ2d@giganews.com>,
Troubled Tony <nonexistent@hotmail.com> wrote:
Quote: Tom Harrington <tph@pcisys.no.spam.dammit.net> wrote:
Troubled Tony <nonexistent@hotmail.com> wrote:
Barry Margolin <barmar@alum.mit.edu> wrote:
Since you don't need to be root...
Until you do.
Try running fsck or mknod without it, for example.
Or a 'umount -f'. There are plenty of days where
I've needed to be root.
This is why the "sudo" command was invented.
That's running as root, dude.
But just for a single command, so you minimize the risk. The
recommendation is against logging in as root.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group *** |
|
|
| Back to top |
|
| Troubled Tony |
| Posted: Thu Dec 04, 2008 11:03 am |
|
|
|
Guest
|
Barry Margolin <barmar@alum.mit.edu> wrote:
Quote: Troubled Tony <nonexistent@hotmail.com> wrote:
Tom Harrington <tph@pcisys.no.spam.dammit.net> wrote:
Troubled Tony <nonexistent@hotmail.com> wrote:
Barry Margolin <barmar@alum.mit.edu> wrote:
Since you don't need to be root...
Until you do.
Try running fsck or mknod without it, for example.
Or a 'umount -f'. There are plenty of days where
I've needed to be root.
This is why the "sudo" command was invented.
That's running as root, dude.
But just for a single command, so you minimize the risk. The
recommendation is against logging in as root.
That's NOT the purpose of sudo.
And if you 'su' to execute just one command as root,
you simply Ctl/D after issuing the command. Enabling the
root account is an entirely different matter. Then there's:
# Alternative Sudo Authentication
#
# By default sudo will require the password of an admin
# user already logged in. This has one drawback: if an
# interloper acquires the admin password the interloper
# by default also has access to the root account.
#
# It is possible to configure sudo to instead demand
# the password for the root account, but this would necessitate
# enabling the root account - something better avoided.
#
# But the last field in a user record denotes the program
# ('shell') that will be run on a successful login; were
# this shell set to /usr/bin/false the successful login
# would immediately exit again, incapable of causing
# any harm or doing anything at all. [false is a program
# that simply exits with a non-zero (error) code.]
#
# And set the second last field - the login directory
# - to /var/empty to be doubly sure. [That's what it's
# there for.] And finally you give root a password -
# and of course not the admin password.
#
# root:tNzaRKtRg7Xyf:0:0:Revolving Door Root Account:
# /var/empty:/usr/bin/false
#
# [Of course this can - and should - be done other ways
# as /etc/passwd is only recognised on single user mode
# logins. On OS X Tiger systems or earlier it's NetInfo
# Manager.] [TT adds: it's now Directory Services]
#
# Once that's done you change the authentication requirements
# in /etc/sudoers. Add 'Defaults:rootpw' with visudo.
----
Tom Harrington <tph@pcisys.no.spam.dammit.net> wrote:
Quote: Troubled Tony <nonexistent@hotmail.com> wrote:
Try running fsck or mknod without it, for example.
Or a 'umount -f'. There are plenty of days where
I've needed to be root.
This is why the "sudo" command was invented.
No, it was invented for multi-user environments,
typically production systems.
It has an extensive mechanism for one user to run
another program as another user, or get to a shell
for another account.
http://www.linux-mag.com/id/4824
#
# It's not just for root access though. You can use it
# to grant account access from one user to another. For
# example, logging in as user1 and then entering "sudo
# -i -u user2# gives you an interactive session as user2
# without having to know user2's password (assuming appropriate
# sudoers configuration).
#
# So for example if user2 is a production account running
# say the accounting system and user1, a support person,
# needs to login to the production accounting account
# they can do so without knowing the production account
# password and their access is logged (i.e., user user1
# logged in as user2 at ).
I've seen it used for lpadmin commands, getting into the
Informix account, turning system accounting on/off.
I remember Data Security having us admins configure sudo
for a trader to be able to issue lpadmin commands: they
didn't want him to have root access just to be able to
stop/restart printer queues. Ironically, a Data Security
guy (IBM background) did a 'chmod 700 /' to make their
Unix security server more secure...their first surprise
was when no one could login again.
Sudo certainly wasn't created just to execute a single root
command. Or even a series, given that once you give sudo
your passwd, you can then issue five more minutes worth
of sudo root commands without a passwd. That's also considered
a security weakness. It's also an awkward intersection with
simply su'ing.
Sudo is one of a number of mechanisms created to enable
different 'roles' for users without them always becoming
the all-powerful 'root' to do things. Groups are also
used for that, as are the funky file ACLs.
(Regarding the standard popup request for an admin passwd:)
In Apple Darwin Unix, there is a GUI API for popping up a
GUI version of sudo (sort of like how file-browsing-chooser
windows are invoking a standard API) so whatever you are
running gets escalated permissions...you see it to become a
network admin (SysPref), if Finder needs a passwd to change
something, etc.
That "flattens out" all roles to a single admin passwd,
which becomes similar to just being root, really.
Surprise.
That it's got a GUI wrapper is besides the point.
Since most people, especially on their own desktops, do not
configure sudo to enable certain users to perform certain
roles, and since the OS X admin confirmation pop-up passwd
window isn't configured to enable roles (that I know of)
but instead enable root access to do whatever, then the
original idea of _not_ using the all powerful root account
instead of roles is lost.
Whether you use sudo to issue a single root command, or
get prompted by a GUI to give your admin passwd, it's
still becoming root without the role stratification for
security purposes. |
|
|
| Back to top |
|
| Jolly Roger |
| Posted: Thu Dec 04, 2008 11:30 am |
|
|
|
Guest
|
In article <barmar-FAB60C.22243403122008@mara100-84.onlink.net>,
Barry Margolin <barmar@alum.mit.edu> wrote:
Quote: In article <dfmanno-11F1B3.22142203122008@feeder.motzarella.org>,
"D.F. Manno" <dfmanno@mail.com> wrote:
In article <jollyroger-5869D6.14574503122008@news.individual.net>,
Jolly Roger <jollyroger@pobox.com> wrote:
mikePOST@TOGROUPmacconsult.com (Mike Rosenberg) wrote:
Michael Vilain <vilain@NOspamcop.net> wrote:
"We have removed the KnowledgeBase article because it was old and
inaccurate," Apple spokesman Bill Evans, told Macworld. "The Mac is
designed with built-in technologies that provide protection against
malicious software and security threats right out of the box."
Unless someone wants to be root on their system...
And that's NOT right out of the box behavior.
Nor do most Mac users need or want to be root.
OK, I've seen or heard hundreds of times that it's a bad thing to run as
root, but I have yet to see anyone explain _why_. It seems to be taken
as self-evident.
Well, it's not evident to me. Why is it a bad thing to run as root?
There's a well-known security principle called "Least Privilege" -- only
run with as much privilege as you need. That way, mistakes are less
likely to cause major damage.
Since you don't need to be root to do anything on OS X, it's safest not
to do it.
Wikipedia has a decent article on it:
<http://en.wikipedia.org/wiki/Principle_of_least_privilege>
This is the reason I recommend Mac users use non-administrative user
accounts for day-to-day tasks.
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.
JR |
|
|
| Back to top |
|
| Troubled Tony |
| Posted: Thu Dec 04, 2008 11:50 am |
|
|
|
Guest
|
Jolly Roger <jollyroger@pobox.com> wrote:
Quote: Barry Margolin <barmar@alum.mit.edu> wrote:
Since you don't need to be root to do anything on OS X, it's safest not
to do it.
Wikipedia has a decent article on it:
http://en.wikipedia.org/wiki/Principle_of_least_privilege
This is the reason I recommend Mac users use non-administrative user
accounts for day-to-day tasks.
That makes sense, but it's not encouraged by the OS X install
process, where you first create your primary user, who is *also*
the all-powerful admin.
People then use that as their user.
The 'principle of least privilege' is the idea of being able
to assign limited 'roles' to users.
That's not what's happening when a single user-admin
passwd let's you do everything. No role stratification,
no principle of least privilege. |
|
|
| Back to top |
|
| Troubled Tony |
| Posted: Thu Dec 04, 2008 1:25 pm |
|
|
|
Guest
|
Jolly Roger <jollyroger@pobox.com> wrote:
Quote: Barry Margolin <barmar@alum.mit.edu> wrote:
Since you don't need to be root to do anything on OS X, it's safest not
to do it.
Wikipedia has a decent article on it:
http://en.wikipedia.org/wiki/Principle_of_least_privilege
This is the reason I recommend Mac users use non-administrative user
accounts for day-to-day tasks.
I had another thought on this.
'su' stands for 'switch user.'
Let's say you made a second administrative account, then removed
admin privileges for your account from install-time, where you
setup your mail and settled in.
Now, let's compare...
You do something (in each account: admin vs. non-admin) in SysPref
that needs root access, thus opening via API the standard window
to login as an administrator. This gives SysPrefs (or other programs)
root privileges.
It looks the same in both, with the minor exception of having to
change the username in the root-login GUI window to not be your
non-admin user, but the name of an admin account. (I'm figuring
this, and not actually trying it.)
What if you're at the commandline, and you want to issue a
command using 'sudo' (switch user and do this command).
I believe you would either have to edit in a user-specific
rule such that your non-admin id (this is now a runtime
userid check) is allowed root privileges just like the
admin users.
Otherwise, the non-admin user would have to 'su admin-user',
then issue the 'sudo cmd', which will once again ask for the
passwd for admin-user.
I'm not seeing a reason to run daily as a non-admin user.
What's the difference between the two accounts if you manage to
install in your user malware that was recording your keystrokes?
I see none. All 'sudo' passwds would be recorded. That's root-ski.
It would make a difference if it were someone looking over your
shoulder and they picked up just one of the passwds.
That's not enough of a reason for people to switch.
Ugh, the Jolly Roger had only one eye to start with, then
lost the other one (as far as seeing me) in a vendetta
against typos in an OT thread. Oh, well.  |
|
|
| Back to top |
|
| Wes Groleau |
| Posted: Thu Dec 04, 2008 4:42 pm |
|
|
|
Guest
|
Troubled Tony wrote:
Quote: What's the difference between the two accounts if you manage to
install in your user malware that was recording your keystrokes?
The difference is that one account is not able to install that.
--
Wes Groleau
In any formula, constants (especially those obtained
from handbooks) are to be treated as variables. |
|
|
| Back to top |
|
| Wes Groleau |
| Posted: Thu Dec 04, 2008 4:42 pm |
|
|
|
Guest
|
D.F. Manno wrote:
Quote: OK, I've seen or heard hundreds of times that it's a bad thing to run as
root, but I have yet to see anyone explain _why_. It seems to be taken
as self-evident.
I don't recall ever seeing that warning without seeing a rationale.
Usually in the same post, always in the same thread.
--
Wes Groleau
Alive and Well
http://freepages.religions.rootsweb.com/~wgroleau/ |
|
|
| Back to top |
|
| Warren Oates |
| Posted: Thu Dec 04, 2008 4:42 pm |
|
|
|
Guest
|
In article <u4ednUBmN_4bxKrUnZ2dnUVZ_tHinZ2d@giganews.com>,
Troubled Tony <nonexistent@hotmail.com> wrote:
Quote: That's running as root, dude.
Well, no it's not.
--
W. Oates |
|
|
| Back to top |
|
| Warren Oates |
| Posted: Thu Dec 04, 2008 4:42 pm |
|
|
|
Guest
|
In article <u4ednUFmN_5tyqrUnZ2dnUVZ_tHinZ2d@giganews.com>,
Troubled Tony <nonexistent@hotmail.com> wrote:
Quote: An experienced admin aliases 'rm' to 'rm -i' in both his user
and root accounts.
Not a bad idea for root, It would drive me nuts in my user account.
There's an alias you can set up in the c shell, creates a "trash"
folder. I've never got it working with Bash.
alias del 'mv \!* ~/trash_dir'
--
W. Oates |
|
|
| Back to top |
|
| Wes Groleau |
| Posted: Thu Dec 04, 2008 4:42 pm |
|
|
|
Guest
|
Troubled Tony wrote:
Quote: To be ultra-safe with the 'rm' command, make it an 'ls' command
first, check that's the correct target, then do an up-arrow to
get the commandline again, type a Ctl/A to get to the beginning
of the line, Ctl/D's to delete the 'ls', then type '\rm -rf' to
execute the 'rm' and bypass the interactive questioning of 'rm -i'.
Easier:
ls xy*z
rm !$
If I have enough sense to do the 'ls' then I don't need the -i
--
Wes Groleau
School's Success Story Gives Way to Doubt
http://Ideas.Lang-Learn.us/russell?itemid=731 |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Dec 04, 2008 4:49 pm |
|
|
|
|
Troubled Tony <nonexistent@hotmail.com> writes:
Quote: Sometimes Finder won't do something because of
permissions, and fails to ask for the admin passwd
or fails even when it does ask and you give it.
Here's a GUI tool to run something as root that works
under OS 10.3.9, will likely work on OS 10.4.11, and I
don't know about OS 10.5 -
http://personalpages.tds.net/~brian_hill/pseudo.html
Billy Y.. |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Dec 04, 2008 5:16 pm |
|
|
|
|
Troubled Tony <nonexistent@hotmail.com> writes:
Quote: # Alternative Sudo Authentication
#
# By default sudo will require the password of an admin
# user already logged in. This has one drawback: if an
# interloper acquires the admin password the interloper
# by default also has access to the root account.
There is another drawback - a privilege authentication is
good for five minutes. The length of this time can be changed,
including to 0, at the expense of having to type in the password
for every single command.
The following is from the CLIX (a GUI tool to execute command
lines normally done from the terminal - I don't use it because
it doesn't handle lots of output well) documentation -
| The most important thing is to secure your sudo configuration.
| sudo is the program that escalates your privileges to 'root' -
| you don't want anybody or anything getting this privilege
| escalation except yourself.
|
| 1. You have to run visudo. From a command line. You must do
| this from an administrator account.
|
| 2. Go to a command prompt (Terminal.app) and type in 'sudo visudo'.
| You'll be prompted for your passphrase. Give it.
|
| 3. Use arrow down to get to the line that says
| '# Defaults specification'. Hit 'o' on your keyboard.
|
| 4. Type in 'Defaults tty_tickets'. Hit Enter. Type in
| 'Defaults:ALL timestamp_timeout=0'. Hit <Esc>.
|
| 5. You should now have this.
|
| # Defaults specification
| Defaults tty_tickets
| Defaults:ALL timestamp_timeout=0
|
| 6. Type ':q!' if you make a mistake and want to exit without
| saving changes.
|
| 7. Type ':w' followed by Enter then ':q' followed by Enter
| to save your changes.
|
| What You've Done
|
| You've just made sure interlopers can't 'piggyback' on your
| privilege escalation. Normally a privilege authentication is
| good for five minutes; this means any other process could try
| (repeatedly) to escalate to 'root' without a passphrase.
|
| All Terminal.app sessions are run in so called 'TTYs'. Each
| Terminal window is a separate 'TTY'. Setting 'tty_tickets'
| stops Terminal.app windows from sharing privilege escalation;
| setting 'Defaults:ALL timestamp_timeout=0' stops rogue
| processes (or users) from 'piggybacking' on your previous
| privilege escalation - each new invocation of sudo will
| require your administrator passphrase.
Billy Y.. |
|
|
| Back to top |
|
| Tom Harrington |
| Posted: Thu Dec 04, 2008 10:49 pm |
|
|
|
Guest
|
In article <u4ednUBmN_4bxKrUnZ2dnUVZ_tHinZ2d@giganews.com>,
Troubled Tony <nonexistent@hotmail.com> wrote:
Quote: Tom Harrington <tph@pcisys.no.spam.dammit.net> wrote:
Troubled Tony <nonexistent@hotmail.com> wrote:
Barry Margolin <barmar@alum.mit.edu> wrote:
Since you don't need to be root...
Until you do.
Try running fsck or mknod without it, for example.
Or a 'umount -f'. There are plenty of days where
I've needed to be root.
This is why the "sudo" command was invented.
That's running as root, dude.
Yes, but it's not the same as using "su" to open a root shell, which was
your solution. It's root for one command as opposed to an indefinite
period of root access.
--
Tom "Tom" Harrington
Independent Mac OS X developer since 2002
http://www.atomicbird.com/ |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Dec 04, 2008 11:01 pm |
|
|
|
|
Troubled Tony <nonexistent@hotmail.com> writes:
Quote: BASH might be born again, but it still has sh functions.
[...]
I use tcsh for interactivity, but I script in /bin/sh. Bourne Shell.
Bash isn't the only Apple shell that's been born again -
-rwxr-xr-x 1 root wheel 603488 18 Nov 2007 bash
-r-xr-xr-x 1 root wheel 603488 18 Nov 2007 sh
$ cmp bash sh
$
Heh. This is OS 10.3.9, 10.4.11 has a newer version, but
the two are still the same.
Quote: Here's a GUI tool to run something as root that works
under OS 10.3.9, will likely work on OS 10.4.11, and I
don't know about OS 10.5 -
http://personalpages.tds.net/~brian_hill/pseudo.html
Well, ugh, I guess some people would use it, albeit it
hopes you'll live up to its $15 shareware request.
As with my suggesting 'reboot' vs. ^D, I generally try to
keep my remarks within what's easily managable for "some
people"... I was thinking about what'd be easy to recall
after the guy had his computer in a state where he could
no longer look at what I said with it. Quite like most
of the guys I take care of in my work - they're really
good at what they do, but they're not system admins.
Quote: $15 to execute something as root?
The guy says one can pay, or not.
Billy Y.. |
|
|
| Back to top |
|
| Troubled Tony |
| Posted: Fri Dec 05, 2008 3:10 am |
|
|
|
Guest
|
#
# Protecting yerself from an errant 'rm'
#
Wes Groleau <groleau+news@freeshell.org> wrote:
Quote: Troubled Tony wrote:
To be ultra-safe with the 'rm' command, make it an 'ls' command
first, check that's the correct target, then do an up-arrow to
get the commandline again, type a Ctl/A to get to the beginning
of the line, Ctl/D's to delete the 'ls', then type '\rm -rf' to
execute the 'rm' and bypass the interactive questioning of 'rm -i'.
Easier:
ls xy*z
rm !$
If I have enough sense to do the 'ls' then I don't need the -i
I have to chuckle at the qualifier 'If I have enough sense.'
As one who will sometimes make a typo, and has blown hitting '!$'
correctly, I will stick with my own medicine on this one. Usually
I'm deleting one file, in which case I do exectly what you showed,
But I'm running with 'rm -i' and the 'y' prompt gives me one last
chance. Finder will ask for confirmation of emptying the trash, no
different.
Warren Oates <warren.oates@gmail.com> wrote:
Quote: Troubled Tony <nonexistent@hotmail.com> wrote:
An experienced admin aliases 'rm' to 'rm -i' in both his user
and root accounts.
Not a bad idea for root, It would drive me nuts in my user account.
I dunno, you might consider it. All you have to do to bypass the alias
is tap the '\' key. That is, '\rm'. The 'r' is "escaped", but it didn't
have a special meaning, like say "*". However as a side-effect, the
'rm' alias is not looked up and expanded.
Warren Oates <warren.oates@gmail.com> wrote:
Quote: There's an alias you can set up in the c shell, creates a "trash"
folder. I've never got it working with Bash.
alias del 'mv \!* ~/trash_dir'
BASH might be born again, but it still has sh functions.
prompt> echo $SHELL
/bin/bash
prompt> bb() { echo "$* ZOT"; }
prompt> bb 34543
34543 ZOT
prompt> bb ~
/Users/user ZOT
I use tcsh for interactivity, but I script in /bin/sh. Bourne Shell.
#
# Mr. Jolly's advice to use a non-admin account
#
Wes Groleau <groleau+news@freeshell.org> wrote:
Quote: Troubled Tony wrote:
What's the difference between the two accounts if you manage to
install in your user malware that was recording your keystrokes?
The difference is that one account is not able to install that.
Well, 'install' can simply mean downloading something into your default
downloads directory and executing it. No need for system-wide installation.
I accidentally used wording that backs up this point: "install in your user".
And yes, the non-admin account _could_ do a system-wide installation. It
would happen the same way as for an admin account! A GUI-wrapped install
triggers the 'login with admin credentials so I can execute as root'
standard popup window. The non-admin user types in an admin name and
the admin's passwd.
Mr. Jolly's point was to use the least level of privilege necessary.
I see no value added in using an admin and non-admin account for
yourself. In Apple Darwin Unix, being in group 'admin' (type 'id')
means you can become root. This is both in the form of using 'sudo',
as well as when the GUI prompt for the admin credentials occurs.
Historically, on systems that used a group entry to limit which
users may become root, the name was 'wheel.'
Both accounts can equally install files.
#
# Another tool for executing something as 'root'
#
billy@mix.com wrote:
Quote: Troubled Tony <nonexistent@hotmail.com> writes:
Sometimes Finder won't do something because of
permissions, and fails to ask for the admin passwd
or fails even when it does ask and you give it.
Here's a GUI tool to run something as root that works
under OS 10.3.9, will likely work on OS 10.4.11, and I
don't know about OS 10.5 -
http://personalpages.tds.net/~brian_hill/pseudo.html
Well, ugh, I guess some people would use it, albeit it
hopes you'll live up to its $15 shareware request.
$15 to execute something as root?
# Pseudo is a drag-and-drop application that allows you to
# launch other applications in the OSX Desktop as the System
# Administrator or 'root'.
Oh, I was going to ask how I can invoke a program and give it
commandline args or shell redirection, but it's not meant for
that. One could create a shell script with the args/redirection,
but that's not something a systems administrator does just to
drop it on a GUI.
I recently needed to run KeyChain Access as root, it would not
accept the normal admin credentials in the popup window.
So I typed 'su', type the password, ran it from its /Apps pathing,
typed a Ctl/D to exit the root prompt.
That I type an EOF is a trivial difference versus 'sudo' exiting
after executing the command. 'sudo' was never designed as a tool
for root users to execute one command as root. I've already
posted the details in this thread, in book form. ;-)
#
# To 'su' or to 'sudo'
#
I have no idea why anyone might be enamored with 'sudo' for
executing a command as root. You can always preceed the command
with 'exec ' to have it exit after one command (back to your
user shell prompt), and if you made a one character alias for
'exec' then one is down to arguing which is a character or
two less typing. I could even make an alias for 'sud' that
uses 'su' and returns after one command and is one character
shorter to invoke than 'sudo'. The whole thing is of no importance.
If you like 'sudo', use that instead.
Warren Oates <warren.oates@gmail.com> wrote:
Quote: Troubled Tony <nonexistent@hotmail.com> wrote:
That's running as root, dude.
Well, no it's not.
sudo id
Password:
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),101(com.apple.sharepoint.group.1),5(operator),80(admin),102(com.apple.access_ssh-disabled),20(staff)
Yes, it is.
A less terse 20-questions type post like Tom made is of
more use to the group.
Tom Harrington <tph@pcisys.no.spam.dammit.net> wrote:
Quote: Troubled Tony <nonexistent@hotmail.com> wrote:
This is why the "sudo" command was invented.
That's running as root, dude.
Yes, but it's not the same as using "su" to open a root shell, which was
your solution. It's root for one command as opposed to an indefinite
period of root access.
I'm sure that you'll admit there is no difference from a security
standpoint, because 'sudo' can invoke a root shell.
That also moots your claim of 'an indefinite period of root access' being
a difference.
'sudo' was designed to be a mechanism with which you could say give a
user comtrol over his cubicle farm's printer queues; to become an lpadmin
without also getting root access. It was a mechanism designed to provide
the ability to define granular access to resources, along the 'least
privileges necessary' paradigm.
Using 'sudo' to execute a root command, even if sudo provides the "service"
of returning after executing the root command, is not only not what 'sudo'
is for, it's of no added value for that.
Ever find yourself executing more than just the one 'sudo' command that
you thought would be all that's needed? Sure. The general principal 'sudo'
proponents seem to make is to get into root and get out as soon as you are
done. Fine. That doesn't make 'sudo' superior to using 'su.'
If you prefer to use it though, go ahead. But you've got no claim to say
it's better than just su'ing. It's just your preference.
Billy Y, thanks for sharing some 'sudo' config tips, some people
will zero out the "credentials" time. |
|
|
| Back to top |
|
| Tom Stiller |
| Posted: Fri Dec 05, 2008 3:47 am |
|
|
|
Guest
|
In article <LL-dnQk0la3-yKXUnZ2dnUVZ_rDinZ2d@giganews.com>,
Troubled Tony <nonexistent@hotmail.com> wrote:
Quote: Finder will ask for confirmation of emptying the trash, no
different.
Unless you've turned off the annoying behavior.
--
Tom Stiller
PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF |
|
|
| Back to top |
|
| |
Page 2 of 5 Goto page Previous 1, 2, 3, 4, 5 Next
All times are GMT
The time now is Wed Jan 07, 2009 5:15 am
|
|
|