so if a routine shell script needs to run as root, is it better to have setuid wrapper that calls it or just a simple sudo definition
Define "routine"
If we're talking "routine" as in run from cron, just run the script from root's crontab
If it's an admin script, then sudo
Note that a setuid wrapper adds needless complication, and could be abused (if someone replaced the target script with their own, for instance)
yeah, it's not periodic enough to warrant cron
but "lesser" admins need access to it.  sudo seems easiest/safest and it's what i've been doing lately.
long ago, i used C wrapper binaries
setuid binaries have fallen out of fashion
but most people seem to end up opening sudo too much
convenience over security
i don't really see how open sudo is more secure than logging in as root myself
hint - in sudo, don't restrict people to "vi" :)
or "less"
former $client did that... nice backdoor
That's what she said!!
lol
good one BryceBot
yeah, never been a big fan of the sudo regex
i think it makes it too easy to make a mistake