[OT] sudo, why not su?

sean at seanmiller.net sean at seanmiller.net
Tue Aug 9 14:05:11 UTC 2005


> 	For example, how bad would it be if a user opened a terminal, typed
> 'su', ran a few quick tasks, then just walked away without typing 'exit'?

This should be the case, but do remember that if you do multiple sudo
commands there's a 5 minute period during which you don't have to re-enter
the password... so in a Ubuntu-esque scenario where you've decided to give
absolute power to the user that particular security risk is still there.

The more I think about it the more I am convinced that sudo should not be
being used like it is here... its whole purpose is to limit the commands
that users can run as root rather than empower them to be a virtual root.

I guess that the solution to this particular security flaw is to make the
first user you set up on a Ubuntu system specifically a system admin user
rather than a named user... ie. "sysadm"... then they effectively become
root and you keep their username and password firmly out of the reaches of
anybody else who uses the system... every other user that you want to be
able to empower to perform specific tasks you explicitly grant that
command to in the /etc/sudoers file.

Sean




More information about the ubuntu-users mailing list