Comment by acdha

Comment by acdha 6 hours ago

2 replies

View on Hacker News

> A production environment should usually be setup up properly with explicit roles and normal access control.

… and sudo is a common tool for doing that so you can do things like say members of this group can restart a specific service or trigger a task as a service user without otherwise giving them root.

Yes, there are many other ways to accomplish that goal but it seems odd to criticize a tool being used for its original purpose.

pphysch 5 hours ago

PSA for anyone reading this, you should probably use polkit instead of sudo if you just want to grant systemd-related permissions, like restarting a service, to an unprivileged user.

It's roughly the same complexity (one drop-in file) to implement.

Reply View 1 reply
  • acdha 4 hours ago

    I’d broaden that slightly to say you should try to have as few mechanisms for elevating privileges as possible: if you had tooling around sudo, dzdo, etc. for PAM, auditing, etc. I wouldn’t lightly add a third tool until you were confident that you had parity on that side.

    Reply View 0 replies