DEV Community

loading...

Is sudo just sudoly safe?

patarapolw profile image Pacharapol Withayasakpunt ・1 min read

I first have this thought when comparing apt to snap on security, but I asked first on Quora.

Of course, this also includes

  • On Windows, you are asked for Administrator rights upon install
  • Not sure about macOS's Homebrew as well

Wouldn't it be better to be able to install most things without sudo?

Or, multiple levels of sudo, or switch user rather than sudo?

Some other thoughts are,

  • I also realized sudo also involves logging, but I don't know how to check?
  • Biometrics (fingerprint) for most basic logins, plus vanish-after-use recovery codes (like 2FA) for sharing admin rights.

Discussion

pic
Editor guide
Collapse
cacilhas profile image
Arĥimedeς ℳontegasppα ℭacilhας

On macOS, Homebrew requires the /opt/local/ directory (and down there) to be owned by your user, not root.

On GNU/Linux, you can sudo to other users than root. Another user may have permissions over than yours.

For instance, you can use an admin user with some extra permissions, but yet restricted. You run sudo -u admin.

If you need to switch to that user, you run sudo -u admin -i.

Collapse
patarapolw profile image
Pacharapol Withayasakpunt Author

So, is it possible to ban sudo? (But not ban sudo -u admin, which is not a real admin, just an installer people.)

Collapse
cacilhas profile image
Arĥimedeς ℳontegasppα ℭacilhας

If you design properly the system, it’s possible. You’d give writing permissions to admin in specific directories, like /usr/local/ and/or /opt/.

But my advice is another: you can install user-only applications. It goes into the ~/.local/ directory, that must have a subdirectory tree similar to /usr/local/.

That’s how I do.

Thread Thread
cacilhas profile image
Arĥimedeς ℳontegasppα ℭacilhας

In order to enable it, you must add ~/.local/bin/ to your PATH, preferably in the head.

You can add to your ~/.bashrc (if you use Bash):

export PATH="$HOME/.local/bin:$PATH"

Since I use Fish, I got in my ~/.config/fish/config.fish:

set -x PATH $HOME/.local/bin $PATH
Collapse
zoedreams profile image
☮️✝️☪️🕉☸️✡️☯️

windows has elevate.exe. It basically adds a token to the session for higher state permissions