[OT] sudo, why not su?

David Woyciesjes woyciesjes at sbcglobal.net
Tue Aug 9 14:27:29 UTC 2005


sean at seanmiller.net wrote:

>>	For example, how bad would it be if a user opened a terminal, typed
>>'su', ran a few quick tasks, then just walked away without typing 'exit'?
> 
> 
> This should be the case, but do remember that if you do multiple sudo
> commands there's a 5 minute period during which you don't have to re-enter
> the password... so in a Ubuntu-esque scenario where you've decided to give
> absolute power to the user that particular security risk is still there.

	True, but it does time-out. So the risk is limited, compared to using 'su'.

> The more I think about it the more I am convinced that sudo should not be
> being used like it is here... its whole purpose is to limit the commands
> that users can run as root rather than empower them to be a virtual root.
> 
> I guess that the solution to this particular security flaw is to make the
> first user you set up on a Ubuntu system specifically a system admin user
> rather than a named user... ie. "sysadm"... then they effectively become
> root and you keep their username and password firmly out of the reaches of
> anybody else who uses the system... every other user that you want to be
> able to empower to perform specific tasks you explicitly grant that
> command to in the /etc/sudoers file.
> 
> Sean

	Agree with you here. Ubuntu should limit, by default, what the first 
user can do in the sudoers file.

-- 
--- Dave Woyciesjes
--- ICQ# 905818





More information about the ubuntu-users mailing list