[OT] sudo, why not su?
Paul Sladen
ubuntu at paul.sladen.org
Sun Aug 7 13:47:21 UTC 2005
On Sun, 7 Aug 2005, Magnus Therning wrote:
> we got to discussing, and another colleague said that OSX doesn't have a
> root password and uses 'su' with pam to give root access to users. (Is
> that correct?)
MacOSX uses 'sudo'. (Via the Security Services, rather than PAM).
> The main reason I could think of was that su+pam results in no password
> being needed while sudo requires the password of the current user.
Sudo can be configured in either mode; however, having a line with
'NOPASSWD:' set for all commands would be considered bad security practise.
> A second reason might be that sudo has more fine-grained configuration
> possibilities.
'Sudo' provides fine-grained control over which user can execute which
commands, as which other user, on which machine.
> So, all I am wondering is if there is a way to get 'su' to ask for the
> caller's password before granting root privileges.
You are required identify *yourself*, by providing something that only you
know (and not a password that is shared with anyone else). This helps
prevent an unauthorised user walking up to a logged-in machine and
deleting or trojaning programs.
> If there isn't then sudo has a real advantage over su.
'Sudo' provides a huge number of advantages. This is why Ubuntu and other
modern Unix operating systems use it. IIRC, Microsoft are switching to the
same ('sudo'-style) security model in the next release of Windows.
-Paul
--
The summer is normal here. Swansea, GB
More information about the ubuntu-users
mailing list