[OT] sudo, why not su?

Paul Sladen ubuntu at paul.sladen.org
Sun Aug 7 13:47:21 UTC 2005


On Sun, 7 Aug 2005, Magnus Therning wrote:
> we got to discussing, and another colleague said that OSX doesn't have a
> root password and uses 'su' with pam to give root access to users. (Is
> that correct?)

MacOSX uses 'sudo'.  (Via the Security Services, rather than PAM).

> The main reason I could think of was that su+pam results in no password
> being needed while sudo requires the password of the current user.

Sudo can be configured in either mode;  however, having a line with
'NOPASSWD:' set for all commands would be considered bad security practise.

> A second reason might be that sudo has more fine-grained configuration
> possibilities.

'Sudo' provides fine-grained control over which user can execute which
commands, as which other user, on which machine.

> So, all I am wondering is if there is a way to get 'su' to ask for the
> caller's password before granting root privileges.

You are required identify *yourself*, by providing something that only you
know (and not a password that is shared with anyone else). This helps
prevent an unauthorised user walking up to a logged-in machine and
deleting or trojaning programs.

> If there isn't then sudo has a real advantage over su.

'Sudo' provides a huge number of advantages.  This is why Ubuntu and other
modern Unix operating systems use it.  IIRC, Microsoft are switching to the
same ('sudo'-style) security model in the next release of Windows.

	-Paul
-- 
The summer is normal here.  Swansea, GB





More information about the ubuntu-users mailing list