[OT] sudo, why not su?

Magnus Therning magnus at therning.org
Mon Aug 8 08:05:51 UTC 2005


On Sun, Aug 07, 2005 at 11:57:47PM -0400, MrKnisely wrote:
>Magnus Therning wrote:
>
>>On Sun, Aug 07, 2005 at 11:18:14AM -0400, MrKnisely wrote:
>> 
>>>Perhaps it is important to remember that althoug you can do the same
>>>tasks with two commands, they are not meant to be replacements for one
>>>another.  Per man:
>>>su - Change user ID or become super-user
>>>sudo - execute a command as another user
>>>Note that with su you are becoming that other user.  Most of us are
>>>familiar with becoming root, since we often run single user machines
>>>and need to run a few commands as root; however, in a multi-user
>>>enfiroment I've used su to become useres to test secutity I've put in
>>>place.  Now, lets take this a step further.  Is it a good idea for
>>>user1 to become user2?  No, user1 shoud only be able to become user2 if
>>>user1 is also able to become root, since root could do this anyway.
>>>This is why su requires root's password. Sudo, on the other hand, is
>>>just to allow a user to run a program with the elevated privlage of
>>>root.
>>>   
>>Yes, so that would explain, on a philosophical level, why 'sudo' is used
>>instead of 'su'. It also explains why 'sudo' asks for the user's
>>password, and 'su' for root's. It's a really good point.
>> 
>>>Now, there is a way around this.  "sudo su"  Again, I don't recommend
>>>this, but it works.
>>>   
>>Another good point. So there is a little bit of a crack, but since
>>'sudo' can be extensively configured it can probably be closed up.
>> 
>>>Perhaps an alias for su to this command is what you want.
>>>   
>>No! That is not at all what I'm looking for. All I ever wanted to know
>>was if 'su' can, in some way, be set up, probably using pam, in such a
>>way that it doesn't ask for root's password, but rather asks for the
>>user's password. That's all, nothing more, nothing less.
>>I'm perfectly happy typing 'sudo' for all my "root tasks". I haven't
>>been missing 'su' at all since switching from Debian to Ubuntu. I was
>>just interested in finding out whether su+pam would be a replacement for
>>'sudo' for the scenario where:
>>- there is only one user on a machine
>>- there is no root password
>>I.e. basically the situation of a newly installed Ubuntu machine.
>>/M
>> 
>Hmmm... One other suggestion.  I believe that you could do this is you
>edited your /etc/passwd file and gave yourself the uid of 0.  Then, it
>would work... I think.

Yes, I think you're right. But I don't think I'd ever need to use 'su'
or 'sudo' then, since I _am_ root if I have a uid of 0 :-)

>Other than that solution there is no way to call the su binary and just
>enter your own password; at least not that I can imagine.  The reason
>for this is that you are not simply assuming the "root" user.  You are
>actually assuming another, any other, user's identity... "root" just
>happens to be the default.  The command su user2 would make you user2
>in the eyes of your shell.  This in itself requires root access to do.
>Since this requires root permissions, you must either be root to do it,
>or be able to elevate your own permissions to accomplish this, ie. sudo
>su. In short, there is not a way that I can perceive to make su act in
>the manor you are requesting.  Though, I have been told by my
>programmer friends that there is never a situation where a program
>won't do you bidding... all it needs is a little code.  I'm not a
>programmer, but I'm sure some geek here could put together a patch.
>;o)

Of course, add a pam-module and you can get 'su' to behave in any way
you want.

However, this is the answer I was looking for, thank. To recap:

 No, it's not possible to have su ask for the calling user's password.

>This has been a fun question to work on.  Thanks for the challenge.

It's been a challenge trying to get people to understand what I wanted
to know.

/M

-- 
Magnus Therning                    (OpenPGP: 0xAB4DFBA4)
magnus at therning.org
http://therning.org/magnus

Software is not manufactured, it is something you write and publish.
Keep Europe free from software patents, we do not want censorship
by patent law on written works.

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.
     -- Benjamin Franklin, Historical Review of Pennsylvania.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050808/da03849c/attachment.sig>


More information about the ubuntu-users mailing list