About root account and sudo
Felipe Alfaro Solana
felipe_alfaro at linuxmail.org
Tue Sep 21 11:54:50 UTC 2004
Hello,
I have tried Ubuntu Linux and have found the root account is disabled
by default, and that the use of "sudo" is encouraged, instead.
However, I think that using "sudo" brings in some security implications
that make it dangerous. By default, in Ubuntu linux, you can gain
superuser privileges by running "sudo" and then entering your own
password (the same password you used at login to gain access to your
user account). I think this is insecure: the user enters its own
password, not the superuser password (which should be a different
password). Thus, if the user's password gets compromised, not only its
user account gets compromised, but also root access: a hacker can gain
access to the user account (as she knows the password), then use "sudo"
to gain root privileges.
So, the first thing I did after installing Ubuntu Linux, was "sudo
passwd root", then removing myself entirely from "/etc/sudoers". Now,
since my user and root passwords are totally different, if my user
account gets compromised, I don't fear the intruder can easily gain
root access.
More information about the ubuntu-users
mailing list