MacPorts shell mode
Christopher Jones
jonesc at hep.phy.cam.ac.uk
Thu Oct 19 17:28:02 UTC 2017
> If you really want to run a command without typing your password,
> configure the sudoers file accordingly. There are plenty of guides on
> the web on how to do this, or see 'man sudoers' and 'man visudo'.
>
> Be aware of the security implications such a configuration has. Allowing
> to run port without sudo effectively allows to run any command as root,
> as it is trivial to execute other binaries.
Not true. In fact it is the exact opposite, more secure, if configured correctly.
You can configure sudo so *only* /opt/local/bin/port is allowed to run without a password. Any other use of sudo still requires the password.
The reason doing this is more secure is because you can run ‘sudo port XYZ’ without entering any password, which means any subsequent sudo command will require authentication with a password. As a example
> sudo port XYZ
> sudo rm -rf /opt/local
has a very different outcome in the two cases… If you have configured sudo to allow the first to run without a password, the second will prompt you, at which point you might reconsider what you are doing…
To enable this update your sudoers file with the last line below
##
## User privilege specification
##
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
chris ALL=(ALL) NOPASSWD: /opt/local/bin/port
Chris
>
> Rainer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20171019/9ed9732c/attachment.html>
More information about the macports-users
mailing list