sudo and the root account
Matt Zimmerman
mdz at canonical.com
Tue Oct 5 20:32:33 UTC 2004
On Tue, Oct 05, 2004 at 03:01:49PM -0400, Brett Kirksey wrote:
> 3. Instead of having to just guess the root password, an attacker now has
> to guess the admin username and the admin password. That might not be
> particularly difficult if they know your system, but from an external
> perspective it does make things harder.
>From a security perspective, the sudo configuration that we provide is
roughly equivalent to having a user who knows the root password and uses su.
It does not seem significantly more or less secure than the traditional
configuration overall, though the two have some different security
characteristics.
In both cases, if an attacker is able to compromise the uid of a user who
uses root privileges (whether via su or sudo), the attacker effectively has
access to root as well.
--
- mdz
More information about the ubuntu-users
mailing list