[ubuntu-hardened] RootSudo or not - what's better?

Jan Claeys lists at janc.be
Sat Nov 1 20:34:17 UTC 2014

Daniel Curtis schreef op za 01-11-2014 om 15:17 [+0100]:
> I would like to ask whether it would be safer to 
> create e.g. 'wheel' group, so user who is in such 
> group could use 'su -' etc. to become 'root'? Now, 
> there must be two passwords: one for a regular user 
> e.g. for login to the system and for using 'su -' to 
> become 'root' and then use second password 
> - let say - reserved for the super user. 

> Of course, we can restrict the use of 'su' command 
> by e.g. 'pam_wheel.so' etc. Now only member of 
> the group 'wheel' can use the 'su' command. And so on. 

Which is more secure (1 or 2 passwords) depends on the circumstances.
I think it's better for most users to have to remember only one password
(if the users have to write the 'root' password down to remember it,
they end up being less secure); however you can do what you want with
sudo instead of su.

By default it is configured to use the "sudo" group instead of 'wheel'
in recent Ubuntu versions (if you make a user an "Administrator" in the
user administration GUI in Ubuntu Desktop, it will add the user to the
'sudo' group).  You only have to change the configuration to require
root (or "runas" or "target") password instead of the user's password.

See 'man sudoers' for documentation about how to configure that _after_
setting a password for 'root'.  (You might want to put a file in
'/etc/sudoers.d/' instead of editing '/etc/sudoers'.)

WARNING: you _can_ lock yourself out!  See 'man visudo' for doing it
somewhat more safely (less likely to lock yourself out with a typo).
Maybe try things out in a virtual machine first until you're familiar
with it.

> However 'sudo' still offers simplicity of use, better control 
> such as '/var/log/auth.log' file etc. 


Jan Claeys

More information about the ubuntu-hardened mailing list