On 7 Aug 2010, at 14:27, Kassen wrote:
However, sudo is a tool to protect the installation against unauthorised modifications.
Actually, not: it is just a shortcut to become root; try 'sudo -s'.
Quite so, and I believe that unlike with becoming root outright the commands given with sudo are logged, which can be helpful to trace what went wrong, if something does.
There is a file /private/etc/sudoers which can be edited with 'visudo' to put restrictions. But the user does become root. I think all stuff is logged - there is a Console showing it, if you so like.
Though restrictions can be implemented, that is not so in Mac OS X. In addition, when one does a 'sudo', it is valid for a few minutes, which can be exploited by malware, by trying every minute if the user has enabled root permissions.
It might be preferable to restrict root access to a single bash session, or perhaps to require it for every command. System-wide root access sounds a bit excessive to me, but I don't know what considerations went into that choice.
Yes, one can turn the timing off, and some do. Otherwise, giving access in just the place where one wrote it might have been wise, but one can do it in one window, and then do it in another without switching.
On the other hand, whenever you install something on Mac OS X, and is asked for the password, one is in effect doing the same thing as a 'sudo', becoming root. So one should never do that unless one trust the software.
Good advice. I do trust our devs, even though they can be a bit chaotic at times ;-) ..
It is mostly important when you visit porn sites - don't give your password away there! Strange that one would have to give such advice. :-)
FYI: Though it derives from FreeBSD, it is now certified UNIX (Intel 1.5 and later).
It is. Of course the main thing that this indicates is that Apple (unlike some other *nixes) has a budget for certification.
Yes, but I saw that there are efforts to close in on the free variations.
I suspect he has absolutely no knowledge about the console (Terminal). Therefore, to start with it, it might be safest to put it into ~/bin/.
It is good with this discussion - ChucK with strange downloading comments, is directed to the console-savvy user, in effect shutting others out.
Yes. There have been a lot of questions about this. Commandline interfaces do look alien and a bit scary to many. Perhaps we should spend some time on this in a FAQ, for example with a link to a good online tutorial. We may also need to update the docs on the mini since the mini really isn't all that experimental and dangerous any more.
An installer might put the stuff into /usr/local/bin where it should be.