Hacker News new | ask | show | jobs
by ioquatix 3438 days ago
Let's say you write some authorisation code using JavaScript. If it contains a syntax error, or a logic error your authentication is broken for your entire system. Checking the correctness of a program is usually non-trivial, but I accept some things CAN be checked (e.g. syntax). However, JavaScript, naturally is a procedural language and hence the bulk of your problems would be in your logic.

In contrast, /etc/sudoers{.d} config is syntactically validated using a strict grammar so that it can be validated for correctness before being loaded and used (hence visudo). It's primarily a declarative language too which means that logic bugs aren't really possible. This means that there is a robust mechanism to detect syntax issues (and some semantic issues) before breaking your system.
1 comments
jhasse 3438 days ago
What if the program reading /etc/sudoers{.d} has a bug and crashes?
link
jacobmischka 3438 days ago
Exactly, like the link says, at least it runs without permissions and is sandboxed.
link
ioquatix 3437 days ago
Then.. sudo has a bug and should be fixed?
link
jhasse 3437 days ago
But the same can be said about your "authorisation code using JavaScript".
link
ioquatix 3437 days ago
Yes, but one is written by a developer, and one is written by a user. That's a pretty big difference, IMHO.
link