SU & SUDO

Daniel Pittman daniel at rimspace.net
Mon Oct 9 00:33:02 UTC 2006 

Dave <dsterken at gmail.com> writes:

G'day Dave.  Sorry for the delay in responding.

> Thank you for the detailed response Daniel.  :) You might have
> miss-understood my intent, which is to disallow apps in X access to
> root, not to switch over to root while running root. Root has no place
> in X! Well, that is just my opinion. 

Sure.  Well, if you don't mind the applications that try to use root
facilities under X being broken then, sure, disable that access.

Be aware that Ubuntu does not share your opinion, however, and that you
will run into trouble trying to administer your system without that
capability.  

None of that is insurmountable, but it does demand a reasonable
knowledge of Linux to be able to identify and correct the issues as they
come up.

> I was "trying" to say that I would rather su to root in a console to
> run the tools I need.

...as in, the GUI tools, or just general administrative things?

> That aside, you mentioned several things I was unaware of. I was not
> comparing it to the wheel group, which is a very useful tool. 

Yes.  The default Ubuntu setup is comparable to a wheel-using BSD setup
in many ways.

> I agree, the developers obviously chose sudo for a reason or they
> wouldn't have woven it in.  Locking up the Root account is good idea,
> but it still has a sudo account right, and an admin group? 

Yes.

> Isn't that like trading 1-fat cow for a group of fat cows?  

Well, by default one target for one target, but yes.

> Trading Root's password, for a sudo password that has all the
> privileges of root at the user level may not gain me any security, in
> fact, it may make things less convenient but it feels like it gives me
> more control.  

Well, it does go beyond the basics: once the use of sudo is established
it becomes more reasonable for the other features of sudo to shine
through, such as *limiting* what software can be run as root for users,
etc.

> However, I will certainly give sudo a chance based on your suggestions
> (all very wise), I must admit though, I'm still squeamish about it.
> :-)

You are right that you don't gain any security in terms of access to
root capabilities -- that still exists, and is tied to admin-capable
accounts, which there can be more of than the single root account.

Anyway, the sudo_root man page covers the reasoning of the Ubuntu team
in detail, and is probably where you should look next if you want to
understand why in more detail.

Regards,
        Daniel

Footnotes: 
[1]  Not out of the box, but in an enterprise environment where these
     were added...

-- 
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707        email: contact at digital-infrastructure.com.au
                 http://digital-infrastructure.com.au/

More information about the kubuntu-users mailing list