I can think of very few instances where you should be giving people shell access, let alone need to worry about RBAC.
Furthermore, the UNIX user model and file system hierarchy already provides you with RBAC. Combine that with ACLs and SetUID (et al) bits and you’ve already got sudo baked into the core system.
Your point about it being a convenience tool is bang on: it makes it easier to administer all of the above but that convenience, like nearly all convenience tools in computing, comes with a slight security trade off.
To be clear, I don’t agree with the author’s recommendation to ditch sudo. But they are absolutely correct in the technical sense. Just as you are. In fact you are both basically arguing the same point but from different perspectives: “sudo adds a vector of attack”. It’s then up to your threat modelling to decide if that is appropriate or not.
But to come back to my original point: just don’t give people shell access. There’s no need in 99% of cases of servers these days and if we are talking about local user machines, then RBAC is less of an issue since it would be a machine per user.
Even (or perhaps especially) with a machine per user, it's critical to keep that user from accidentally shooting themselves in the foot. Typing sudo does help remind a user they're doing something different. I don't want to always have the right to force delete root!
Your comment seems to suggest the alternative of not installing `sudo` is to run your desktop as root. Which clearly isn't the case at all. There are plenty of "sudo" alternatives: `su -c`, `doas`, `login`, etc
Also since we're talking about running as root: ironically I've found a lot of people seem to put the following line in their sudoers file:
ALL=(ALL) NOPASSWD:ALL
which is definitely better than logging in as root....but not by a lot.
Furthermore, the UNIX user model and file system hierarchy already provides you with RBAC. Combine that with ACLs and SetUID (et al) bits and you’ve already got sudo baked into the core system.
Your point about it being a convenience tool is bang on: it makes it easier to administer all of the above but that convenience, like nearly all convenience tools in computing, comes with a slight security trade off.
To be clear, I don’t agree with the author’s recommendation to ditch sudo. But they are absolutely correct in the technical sense. Just as you are. In fact you are both basically arguing the same point but from different perspectives: “sudo adds a vector of attack”. It’s then up to your threat modelling to decide if that is appropriate or not.
But to come back to my original point: just don’t give people shell access. There’s no need in 99% of cases of servers these days and if we are talking about local user machines, then RBAC is less of an issue since it would be a machine per user.