Posted on 11/13/2009 1:37:37 PM PST by Swordmaker
I was going to bring up that very same concern.
bump
It's something you say to your girlfriend in order to get her to make you a sandwich.
The typical method on Unix to limit access to a specific application is through the use of group ids. You place every userid who requires access in the group and then fix the application to have only allowed group permissions and no world permissions.
To the best of my knowledge, and I have a quarter century experience with Unix, no one has ever GUI-ized that mechanism.
I find it something of a security risk so I'm not surprised no one on our side has done it before. Microsoft reliably "invents" dubious methods of bypassing security that were rejected in the Unix community years before starting with ActiveX and auto executing things coming from offhost.
The need to restrict access on a specific host for specific applications outside of an enterprise environment is nil other than parental controls - no QuickTime or World of Warcraft after 10pm on a school night, for example.
Oh and for the record, the first Unix system I ever had at home in 1985 had default crontab entries to restrict access to /usr/games inside business hours.
I have been commanded by my managers at work to obtain sudo access to hosts, so let me explain with a real world example.
I manage an application which runs in a data center that I neither have physical access to, nor have any business on most other servers there. The application is managed by an account that has login access disabled for security reasons.
I am required to have access to various system logs that no one other than the assigned system management team should have access to. Sudo is the perfect solution to the dilemma of allowing me (limited) system admin access while also allowing me to manage the application.
$ sudo su APP-NAME
Allows me to obtain access to an otherwise inaccessible login and allows me to run dmesg.
With tiny, non-networked and single-user computers, it doesn't make much sense to restrict access on host. That is the original Microsoft DOS situation. With networked computers everything changes and it becomes extremely desirable to have very limited access to the system by default. It only took a decade and a half, but it appears that Microsoft has finally learned that lesson that we in the Unix world knew a decade before they started networking.
As I wrote in another post, I don't see much use, if any, for this patent. As with all software patents it's only going to hinder someone who does have a good use for the idea. The idea is not new.
I have to agree. This isn't the first time Microsoft has been awarded a patent that people fly off the handle and yell "They're patenting sudo! They're patenting sudo!", when in fact, they are not.
I'm staking out grep. I'm convinced it's the future of computing.
Cheers!
"Oh, you're not authorized, but here's a list of everyone who *is*. Would you like to learn how to impersonate *them* ?"
Cheers!
OK, but I get vi and Emacs! /sarc>
Cheers!
*chuckle*
Patent security issue there... That's like a potential bank robber which of the bank employees know how to open the safe.
I'm sorry, but in this universe the two are mutually exclusive. If you had both, it would create a rift in space/time that would destroy the universe. I'll take vi, which I shall refer to as '6' so as to confuse the Powers That Be. You can have emacs, which I hear is really an operating system masquerading as an editor.
(Once I master the Ctrl-Alt-F6-Assim key combo, that is...)
Cheers!
Funny.
I always figured I wasn't smart enough to know emacs. 6 just seemed so much more natural for me to learn, and I still only know about 10% of its capabilities. However, in bash, I prefer to use the emacs keybindings for command line manipulation rather than set -o vi.
One of the things I love about Unix is the sheer number of choices available to us. It lets you do really powerful things fairly easily that just aren't possible in the windows world.
For instance. Recently I had a need to scan a network to determine reverse DNS names of every host in a subnet.
for((i=0;$i<=256;i=$(($i+1))));do
host 192.168.1.$i >> localnet.log
done
How would you do that in windows without finding a program written for such things, or writing your own?
Granted, the script that I eventually deployed was somewhat more complex than that, as it was more generalized to allow it to query specific DNS servers and whatever network you wanted to scan, but the actual work was done in 3 lines of shell code.
Lots of folks don't need that kind of power (or at least don't realize they do), but for those of us who do need it, I thank G-d we have options.
That’s insane!!
Are they going to patent /etc too? LOL
It wasted enough on SCO.
Update: Steve Martin notes that sudo goes back even further, to the 1970s and mainframes:
Wow, in addition to being wild and crazy, that's one busy guy!
Hey - I just issued the emacs command "term", and then ran vi from within an emacs terminal session and as far as I can tell, the universe is still functioning!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.