DEV Community

Pacharapol Withayasakpunt
Pacharapol Withayasakpunt

Posted on

Is sudo just sudoly safe?

I first have this thought when comparing apt to snap on security, but I asked first on Quora.

Of course, this also includes

  • On Windows, you are asked for Administrator rights upon install
  • Not sure about macOS's Homebrew as well

Wouldn't it be better to be able to install most things without sudo?

Or, multiple levels of sudo, or switch user rather than sudo?

Some other thoughts are,

  • I also realized sudo also involves logging, but I don't know how to check?
  • Biometrics (fingerprint) for most basic logins, plus vanish-after-use recovery codes (like 2FA) for sharing admin rights.

Top comments (5)

cacilhas profile image
Montegasppα Cacilhας

On macOS, Homebrew requires the /opt/local/ directory (and down there) to be owned by your user, not root.

On GNU/Linux, you can sudo to other users than root. Another user may have permissions over than yours.

For instance, you can use an admin user with some extra permissions, but yet restricted. You run sudo -u admin.

If you need to switch to that user, you run sudo -u admin -i.

patarapolw profile image
Pacharapol Withayasakpunt

So, is it possible to ban sudo? (But not ban sudo -u admin, which is not a real admin, just an installer people.)

cacilhas profile image
Montegasppα Cacilhας • Edited

If you design properly the system, it’s possible. You’d give writing permissions to admin in specific directories, like /usr/local/ and/or /opt/.

But my advice is another: you can install user-only applications. It goes into the ~/.local/ directory, that must have a subdirectory tree similar to /usr/local/.

That’s how I do.

Thread Thread
cacilhas profile image
Montegasppα Cacilhας

In order to enable it, you must add ~/.local/bin/ to your PATH, preferably in the head.

You can add to your ~/.bashrc (if you use Bash):

export PATH="$HOME/.local/bin:$PATH"

Since I use Fish, I got in my ~/.config/fish/

set -x PATH $HOME/.local/bin $PATH