Is sudo just sudoly safe?

I first have this thought when comparing apt to snap on security, but I asked first on Quora.

Of course, this also includes

• On Windows, you are asked for Administrator rights upon install
• Not sure about macOS's Homebrew as well

Wouldn't it be better to be able to install most things without sudo?

Or, multiple levels of sudo, or switch user rather than sudo?

Some other thoughts are,

• I also realized sudo also involves logging, but I don't know how to check?
• Biometrics (fingerprint) for most basic logins, plus vanish-after-use recovery codes (like 2FA) for sharing admin rights.

Comments

[Montegasppα Cacilhας]

On macOS, Homebrew requires the /opt/local/ directory (and down there) to be owned by your user, not root.

On GNU/Linux, you can sudo to other users than root. Another user may have permissions over than yours.

For instance, you can use an admin user with some extra permissions, but yet restricted. You run sudo -u admin.

If you need to switch to that user, you run sudo -u admin -i.

[Pacharapol Withayasakpunt]

So, is it possible to ban sudo? (But not ban sudo -u admin, which is not a real admin, just an installer people.)

[Montegasppα Cacilhας]

If you design properly the system, it’s possible. You’d give writing permissions to admin in specific directories, like /usr/local/ and/or /opt/.

But my advice is another: you can install user-only applications. It goes into the ~/.local/ directory, that must have a subdirectory tree similar to /usr/local/.

That’s how I do.

[Montegasppα Cacilhας]

In order to enable it, you must add ~/.local/bin/ to your PATH, preferably in the head.

You can add to your ~/.bashrc (if you use Bash):

export PATH="$HOME/.local/bin:$PATH"

Since I use Fish, I got in my ~/.config/fish/config.fish:

set -x PATH $HOME/.local/bin $PATH