Comment by throw0101a
14 hours ago
> Why should something like sudo not be "done" after 30 years?
Because new needs arise over time. For example, when I started in IT the "sudoedit" functionality was not present and so allowing someone to do "sudo vi …" would allow them breakout of the editor when it was running as root.
With sudoedit you can give people permissions to edit particular files with elevated permissions.
> Even OpenBSD gave up and implmented their own simplified replacement (doas).
They did not "give up": they found they needed only much simpler functionality shipped in the base OS. For example, sudo has functionality to talk to LDAP (which I've used at multiple jobs over the years), but is not needed for a local-only box. Once you need centralized account and privilege management, doas becomes much less useful.
Let's be honest, though. If you designed a new sudo in a system with doas(1) it would look nothing like modern sudo.
I can't remember the name, but I read about a rust project a few months ago which claimed that even doas had too much feature creep.
> sudo has functionality to talk to LDAP
That is scary! I may need to look more at openbsd
There's a Linux port of doas named OpenDoas
Distros come with sudo. Scripts assume sudo. Complexity exists there.
The purpose is to allow users access by ldap criteria like group so the sodoers file need not be edited on each and every server.
https://www.sudo.ws/docs/man/sudoers.ldap.man/
Yeah, that’s not something I would expect a core until to do.
I would expect another system to query ldap.