Debian Package a Day ([info]debaday) wrote,
@ 2004-06-15 08:00:00
Previous Entry  Add to memories!  Tell a Friend!  Next Entry
wajig - Simplified Debian package management front end
Wajig is a single commandline wrapper around apt, apt-cache, dpkg, /etc/init.d scripts and more, intended to be easy to use and providing extensive documentation for all of its functions.

With a suitable sudo(1) configuration, most (if not all) package installation as well as creation tasks can be done from a user shell. Wajig is also suitable for general system administration.

Since release 2.0.0, a GUI command 'gjig' is also included in the package.

[info]k8to commented regarding the similar package feta that was featured here recently,
wajig seems to require sudo, which rules it right out for my purposes.

user passwords giving root priveledge? Having to create extensive command additions to the unpleasantly syntaxed sudoers file? No thanks!

But I think both feta and wajig make use of sudo.

More information on this package can be found on the Debian web site.
(If there is a package you would like to see featured here, go to the userinfo page and follow the directions there to submit your entry.)

(Post a new comment)


[info]k8to
2004-06-16 12:40 pm UTC (link)
It may be that feta can use sudo, but it certainly does not by default. I do not install sudo on any machines I adminster for the stated reasons.

I sent similar coments to the wajig author who seems to agree that su by default is a reasonable path, and likely wajig will follow this path. I'm sure the configuration granularity that sudo tries to provide is useful in some cases.

(Reply to this)

(Anonymous)
2004-06-16 02:09 pm UTC (link)
sudoers is simple to set up. And is the secure way to go if users need root privledges for running a command such as wajig.

If they don't need to run a command then they aren't set up with sudo. If they need to run a command, set up sudo and protect the root password.

(Reply to this)(Thread)

[info]k8to
2004-06-22 03:43 pm UTC (link)
Sudo is actually pretty poorly behaved securitywise, because you have to control what users can and can't do based on text matching. It's often possible to ask a command to do something unexpected by putting interesting things in the argument lists. Therefore a sudoers that only lets people do what you really think it does has to be very minimal. Sadly, this often results in users being unable to use the flags and options of a program that they are accustomed to using.

Giving a user access to install and remove packages with wajig is probably equivalent to providing them root, since there's almost certainly a package they can choose to install and then abuse to get root. A lot of hassle for fairly little gain.

I'm not even going to get into the "easy to use" nature of sudoers with its syntax that can involve up to four different CATEGORIES of items per line: eg.
bob SPARC = (OP) ALL : SGI = (OP) ALL

(Reply to this)(Parent)
wajig seems to require sudo
(Anonymous)
2004-06-17 05:31 am UTC (link)
Not exactly true - I run it only as root. Permission required depends on the wajig sub command being run.

I don't think it is secure to have anyone other than root installing packages anyway.

Great package - makes the debian tools usable.

(Reply to this)(Thread)
Re: wajig seems to require sudo
[info]k8to
2004-06-22 03:45 pm UTC (link)
Yes, wajig intelligently invokes sudo as appropriate and not when not appropriate. However, invoking su is equivalent to running the command as root, since the root password must be known, and the user does actually log into root via su, the normal way of becoming root in most environments.

(Reply to this)(Parent)
wajig does not require sudo
(Anonymous)
2004-06-20 04:57 am UTC (link)
The use of sudo is only suggested in wajig and a user who knows the root password can also run wajig just fine - the user is asked for the root password for each priviledged command.

(Reply to this)(Thread)
Re: wajig does not require sudo
[info]k8to
2004-06-22 03:47 pm UTC (link)
Wrong on both counts.

jrodman@Skonnos:~/.wesnoth/saves >feta show wajig

Running: apt-cache show wajig
Package: wajig
Priority: optional
Section: admin
Installed-Size: 476
Maintainer: Dirk Eddelbuettel
Architecture: i386
Version: 2.0.10-1
Depends: python (>= 2.3), python (<< 2.4), apt, python-apt, sudo

Note that sudo does _not_ ask for the root password, but the user's password.

(Reply to this)(Parent)
sudo benefits
(Anonymous)
2005-03-14 03:28 am UTC (link)
Your aversions to sudo are grossly misplaced.

In a multi-user environment, where multiple users perform admin operations, sudo allows:

  • logging of actions by user
  • limitation of rights per user
  • shielding of root password. In fact, root need not have a password. Particularly useful if staff change / one user turns rogue. You can lock out the one user without forcing password changes on all others.
  • logical grouping of users
  • logical grouping of commands
  • logical grouping of assumed roles
  • logical assignment of grouped users, commands, and assumed roles. So, PRINTMGRS can run PRINTCMDS as PRINTDAEMON. Apparently the concept of flexibility and ensuing complexity taxes you, but it's a real benefit.
  • WRT your stated issue of command arguments bypassing sudo protections: yeah, but, um, where are you with, say, 'su'? With sudo it's possible to write specific scripts or tools to handle specified roles, in which arguments are supplied.

Yes, if you want sudo to be sufficiently limiting, you're going to have to configure it to only allow specified commands, make sure that those commands don't have their own holes (say: user-privilege escalation -- 'sudo su' or 'sudo sudo', or shell escapes -- most editors). Which means you need to take care what commands you allow access to, but that's not an issue with sudo itself, just part of the reality that security is hard.

By contrast, other ways of assigning root -- either allowing/sharing root password or 'su', have far fewer controls than sudo.

kmself@ix.netcom.com http://kmself.home.netcom.com/

(Reply to this)

Create an Account
Forgot your login?
Login w/ OpenID
English • Español • Deutsch • Русский…