~/.macports

Clemens Lang cal at macports.org
Thu Feb 12 06:28:35 PST 2015


Hi,

----- On 12 Feb, 2015, at 14:43, Chris Jones jonesc at hep.phy.cam.ac.uk wrote:

> I would actually argue allowing port to run via sudo without requiring a
> password could be viewed as improving security. By allowing 'sudo port'
> to run without a password, you never have to authenticate, which means
> sudo never enters into its state where it can run *any* command without
> a password. This means running
> 
> > sudo port XYZ
> > sudo <something bad>
> 
> will prompt you for a password on that second command, because the first
> does not require one. If you had to enter a password for the first
> command, then the second would just run...

No, this improves safety, not security. It's fine if that's your use case,
and I completely agree with it.

The moment you allow "sudo port" without password you give your user
account passwordless sudo privileges.

Personally, I have a hardware token I use to ease the pain of typing my
sudo password a lot. I have configured my PAM to allow sudo either if
challenge-response with my token succeeds or the password is correct. This
way I can just plug in the token when I know I'm going to run a couple of
commands that need sudo in a row.

-- 
Clemens Lang


More information about the macports-dev mailing list