SU & SUDO

Daniel Pittman daniel at rimspace.net
Sat Oct 7 03:06:15 UTC 2006 

Dave <dsterken at gmail.com> writes:

G'day Dave.

> You all brought up great points! The main reason I want "su"
> vs. "sudo" is for security. Admittedly, I do not have a deep
> understanding of how sudo works but I came from a FreeBSD environment
> and have only just started using Ubuntu recently. 

OK.  First, a hint from my years of experience with security: you will
generally get better security sticking with the tools the developers
chose than adding additional tools -- unless you understand exactly what
you are trading off in each direction.

> While a lot of things are different to me, I do not understand the
> need to give applications in x, access to sudo.

None of the applications, X or otherwise, have access to sudo.  *Users*,
and specifically users in the 'admin' group (which is equivalent in many
ways to the 'wheel' group from *BSD) have access to sudo.

Those users can use sudo to run software with elevated privileges; the
software can take advantage of that, like it can take advantage of su,
but it is a property of the *user* not the application.

> I feel that if I want to run a series of tools that require extra
> privileges, it is simple enough to su to root and be done with it. 

Well, in the simplest case that will not work for GUI tools as they will
lose a number of essential elements of X security.  

> I would however, love to hear how the security of sudo is coming
> along, perhaps my concerns seem silly to you guys.

Being concerned about security is reasonable.  I still don't understand
exactly what your concern about sudo is though.  Can you restate it in a
short question or something?


Anyway, the essential trade-off with sudo vs su (and a root password) is
documented in the links others shot you in the thread, but comes down
to:

  With traditional su, and a root password, that password is a well
  known point to attack.

  By locking the root account Ubuntu gains security, because you can no
  longer gain access as root regardless of how well you guess.


  The cost of that is that sudo makes the password for an account in the
  'admin' group equivalent to the root password.  

  If you have multiple members of 'admin' then you have multiple
  passwords equivalent to root.


So, the trade off in security terms is that Ubuntu gains security by
having the root account locked -- no attack direct to root can succeed.

There is one account, by default, which is the equivalent of root.  

This is an account that is regularly used, because it is a normal user
account, so the password is more likely to be changed (and remembered)
than a root account that is almost never used.[1]


Oh, and if you are concerned because you don't know the security history
of sudo, vs the core su command, feel comforted: it has a good security
record, and is regularly audited and updated to address new concerns as
they develop.

Regards,
        Daniel

Footnotes: 
[1]  Obviously, this isn't true for everyone; some of us need root
     access regularly.  Those folks are likely to be the same ones who
     would have a secure root password, etc, etc.

-- 
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707        email: contact at digital-infrastructure.com.au
                 http://digital-infrastructure.com.au/

More information about the kubuntu-users mailing list