Advantages of 'sudo' Over 'su'?
Hudson Delbert J Contr 61 CS/SCBN
Delbert.Hudson at LOSANGELES.AF.MIL
Fri Oct 1 15:50:05 UTC 2004
Jim,
if this were a netsec or firewall list, brett would have gotten roasted for
asking this question. obviously brett's doesnt understand that security
is about putting as many road blocks to successful 'rooting' is a way of
life in the netsec community.
if i were driving down a street that did not have many signs or signals
or patrolmen, i'd bet the farm that a lot of drivers would speed thru.
now increase the frequency of patrols, add stop lights, stop signs
and speed bumps....well one gets the picture i hope.
have a good one everybody.
~piranha
-----Original Message-----
From: ubuntu-users-bounces at lists.ubuntu.com
[mailto:ubuntu-users-bounces at lists.ubuntu.com]On Behalf Of Jim Cheetham
Sent: Thursday, September 30, 2004 6:42 PM
To: ubuntu-users
Subject: Re: Advantages of 'sudo' Over 'su'?
Brett Kirksey wrote:
> I've been curious about this since I run OS X as well. What are
> the advantages of disabling the root account and adding a user
> or group to sudoers with root priveleges? Can a user given the
> same priveleges as root in sudoers do everything that root can?
> If so, why bother disabling root? The sudoer could just type
> sudo su and get the same result as su if root wre enabled?
Well, there is one trivial consequence ... instead of having to guess
"the root password", an attacker now has to guess "the admin username,
and the admin password".
Now, that might not be particularly difficult if they know your system,
but from an external perspective it does make things harder.
In a large multi-user system, of course, sudo can be used to provide
good granularity, and enable users to run "as root" only *some*
commands, and not others. This obviously isn't so important for a
desktop system :-) but it could be good for your other home users
(spouses, kids) who do need root privs to interact with hardware (ppp
and so on) but not with other stuff.
One of the prime reasons in my opinion, however, is that it avoids the
"I can do ANYTHING" interactive login by default - you will be prompted
for a password before major changes can happen, which might make you
*think* about the consequences of what you're doing! If you were logged
in as root, you'd just delete some of those useless folders and not
realise you were in the wrong directory ... until reboot time ...
If you want a whole shell instead of a command-at-a-time, use "sudo -s".
That's what I do. On some workstations I even ask sudo to trust me
without a password ... but on servers, I don't.
-jim
--
ubuntu-users mailing list
ubuntu-users at lists.ubuntu.com
http://lists.ubuntu.com/mailman/listinfo/ubuntu-users
More information about the ubuntu-users
mailing list