sudo and the root account
Ben Edwards
funkytwig at gmail.com
Wed Oct 6 15:23:16 UTC 2004
On Tue, 5 Oct 2004 13:32:33 -0700, Matt Zimmerman <mdz at canonical.com> wrote:
> On Tue, Oct 05, 2004 at 03:01:49PM -0400, Brett Kirksey wrote:
>
> > 3. Instead of having to just guess the root password, an attacker now has
> > to guess the admin username and the admin password. That might not be
> > particularly difficult if they know your system, but from an external
> > perspective it does make things harder.
>
> >From a security perspective, the sudo configuration that we provide is
> roughly equivalent to having a user who knows the root password and uses su.
> It does not seem significantly more or less secure than the traditional
> configuration overall, though the two have some different security
> characteristics.
>
> In both cases, if an attacker is able to compromise the uid of a user who
> uses root privileges (whether via su or sudo), the attacker effectively has
> access to root as well.
Wouldn't it be true to say the root account is more luckily to have a
better (more obscure/longer/mixes case/numbers...) than a user
account.
Ben
More information about the ubuntu-users
mailing list