ティージェーグレェ「teajaygrey」 on Nostr: npub14d70x…zdm4s I am really confused as far as why PDF viewing would require ...
npub14d70xk632yuqshz7hdrnnj79j3yufrphy4u7ryekmpr7vztwvf5q8zdm4s (npub14d7…dm4s) I am really confused as far as why PDF viewing would require elevated privileges in the first place. o.O
I've worked some places where we had libpam-radius-auth tied to some multi-factor-authentication tokens (e.g. RSA SecurID/Yubico/DuoSec/GoogleAuthenticator) and had such invocations also required for sudo; which in general was hypothetically more secure even if it required a little bit of overhead. (In practice, with something such as a Yubikey, that meant that when invoking sudo, you would also want the Yubikey inserted into the system and press the fingerprint reader thinger to do its magic; IMHO, DuoSec's model is slightly more robust but: more proprietary and costly).
Though: we also typically had some special accounts which did not require such additional hoops in case things went sideways and we needed a way to fix things anyway.
I can't even imagine wanting to have sudo tied to an issue tracking system, IT never needs to make more work for itself, and that would guarantee such paradigms. Maybe they wanted to make it look as if they were busier than they were?
smdh, trying to justify yourselves to management via closed/open issues instead of scripting something to parse logfiles and generate reports on the order of: "IT has contended with over 9000 sudo instances this month" seems like a bad idea that I would scream if I were in such an environment, or just quit.
I might just quit.
I've worked some places where we had libpam-radius-auth tied to some multi-factor-authentication tokens (e.g. RSA SecurID/Yubico/DuoSec/GoogleAuthenticator) and had such invocations also required for sudo; which in general was hypothetically more secure even if it required a little bit of overhead. (In practice, with something such as a Yubikey, that meant that when invoking sudo, you would also want the Yubikey inserted into the system and press the fingerprint reader thinger to do its magic; IMHO, DuoSec's model is slightly more robust but: more proprietary and costly).
Though: we also typically had some special accounts which did not require such additional hoops in case things went sideways and we needed a way to fix things anyway.
I can't even imagine wanting to have sudo tied to an issue tracking system, IT never needs to make more work for itself, and that would guarantee such paradigms. Maybe they wanted to make it look as if they were busier than they were?
smdh, trying to justify yourselves to management via closed/open issues instead of scripting something to parse logfiles and generate reports on the order of: "IT has contended with over 9000 sudo instances this month" seems like a bad idea that I would scream if I were in such an environment, or just quit.
I might just quit.