I think the big issue with sudoers is that sudo has a lot of capabilities that almost nobody cares about, but that you must nevertheless understand in order to edit a sudoers file. Host is the perfect example of this—how many people manage nonuniform permissions across multiple hosts with a single shared sudoers file? Plus, the documentation does a very poor job of telling you that the only thing host does is tell a machine to ignore a directive if it doesn’t match, though any documentation which opens with a brief summary of EBNF is in desperate need of overhaul anyway. (The fact that the typical failure mode for getting sudoers wrong is to lock yourself out of your system certainly doesn’t help things, either.)
how many people manage nonuniform permissions across multiple hosts with a single shared sudoers file?
FWIW, I did at my old job. We kept a single sudoers file under CVS control and on certain machines, junior staff could not do anything. We had particular host groups defined for web servers, mail servers, etc. which made it easy to restrict which commands could be run.
This is probably less of a concern now with the whole pets-vs-cattle thing where people are making tons of identical servers and their configurations are all built dynamically.
It would be interesting if sudo (or doas, etc) supported a secondary password for privileged operations. On many systems, including almost every Mac, a compromised standard user password means a compromised root.
Why not just use su at that point?
I do (su -c), for that reason.
It doesn’t make me feel any less uneasy when I do sudo -i on a family member’s Macbook with a password of hello123, though.
The end of the article mentions that the implementation itself doesn’t follow the EBNF precisely. Would be nice to know which parts deviate.
It’s not terribly significant, I’m afraid. But in a pair of parenthesised Runas_Spec, e.g., (operator:operator), the one on the right represents a group name, but does not follow the syntax for group names (if you look at the definition of Runas_Member above, group names are supposed to be %group). Really, the point is that you shouldn’t take the EBNF too seriously.