Using sudo to Keep Admins Honest? sudon't!

Toby Kelsey toby_kelsey at
Sat Nov 4 12:44:05 GMT 2006

Tristan Wibberley wrote:

> According to Matt Zimmerman:
> "You should consider a user with unlimited sudo privileges to be 
> equivalent to root from a security perspective."

That's unnecessarily absolutist. The sudo password provides a real barrier.

> So the default user in Ubuntu *is* root, except that sudo just "prompts 
> for the user's password as a secondary check which prevents certain 
> casual attacks (for example, leaving a session open without locking
> the screen)." - again according to Matt Zimmerman

So any user 'is' root, you just need the password for 'su'. In fact the login
prompt 'is' root as well by that argument.

> It is a *huge* misconception that Ubuntu does not run as root by 
> default, because for all security related purposes... it does. It is 
> trivial to escalate privileges once you have compromised somebody's account.
> You should *never* use your default account for day-to-day usage. 

That's silly.  So you should have a second account, which you log in from to
your first account, which you run sudo from?  But then the second account is
equivalent to root because it is trivial to escalate privileges, so you need
a third account from which you log into your second account, but then ...

The reality is that the default user must have a way of performing 
administrative functions.  That requires escalating privileges.  If an attacker 
cannot crack the system directly then they need to compromise the user account, 
and trick the user into giving them extra privileges.  Using sudo can make that


More information about the sounder mailing list