About root account and sudo

Felipe Alfaro Solana felipe_alfaro at linuxmail.org
Tue Sep 21 11:54:50 UTC 2004


I have tried Ubuntu Linux and have found the root account is disabled 
by default, and that the use of "sudo" is encouraged, instead.

However, I think that using "sudo" brings in some security implications 
that make it dangerous. By default, in Ubuntu linux, you can gain 
superuser privileges by running "sudo" and then entering your own 
password (the same password you used at login to gain access to your 
user account). I think this is insecure: the user enters its own 
password, not the superuser password (which should be a different 
password). Thus, if the user's password gets compromised, not only its 
user account gets compromised, but also root access: a hacker can gain 
access to the user account (as she knows the password), then use "sudo" 
to gain root privileges.

So, the first thing I did after installing Ubuntu Linux, was "sudo 
passwd root", then removing myself entirely from "/etc/sudoers". Now, 
since my user and root passwords are totally different, if my user 
account gets compromised, I don't fear the intruder can easily gain 
root access.

More information about the ubuntu-users mailing list