Musings on su and sudo [Was: Re: [OT] sudo, why not su?]

Magnus Therning magnus at therning.org
Tue Aug 9 22:06:10 UTC 2005


Damn it. I really did the best I could to stay away from this thread :-)

On Tue, Aug 09, 2005 at 10:27:29AM -0400, David Woyciesjes wrote:
>sean at seanmiller.net wrote:
>
>>>For example, how bad would it be if a user opened a terminal, typed
>>>'su', ran a few quick tasks, then just walked away without typing 'exit'?
>>This should be the case, but do remember that if you do multiple sudo
>>commands there's a 5 minute period during which you don't have to
>>re-enter the password... so in a Ubuntu-esque scenario where you've
>>decided to give absolute power to the user that particular security
>>risk is still there.
>
>True, but it does time-out. So the risk is limited, compared to using
>'su'.
>
>>The more I think about it the more I am convinced that sudo should not
>>be being used like it is here... its whole purpose is to limit the
>>commands that users can run as root rather than empower them to be a
>>virtual root.  I guess that the solution to this particular security
>>flaw is to make the first user you set up on a Ubuntu system
>>specifically a system admin user rather than a named user... ie.
>>"sysadm"... then they effectively become root and you keep their
>>username and password firmly out of the reaches of anybody else who
>>uses the system... every other user that you want to be able to
>>empower to perform specific tasks you explicitly grant that command to
>>in the /etc/sudoers file.
>>Sean
>
>Agree with you here. Ubuntu should limit, by default, what the first
>user can do in the sudoers file.

The only problem is that it leads to somewhat of a catch-22!

If the first user can't perform every task that root can, then there
must be a way to become root, i.e. root must have a password. This works
against the Ubuntu design goal that a newly installed system has no root
password.

If there is no root password then the first user must be able to perform
every task that root can...

How can it be solved? I really don't know.

I currently have the following setup on my system (it's been in flux
recently hopefully it'll settle down sometime soon):

 1. sudo can be used by the first user to run a few system commands that
    require root privileges. They include the applications I run most
    often that require root: package management, wvdial. The first user
    can also run 'sudo su -', which I use to become root for other, less
    frequent, tasks.

 2. su can only be run by members of the adm group. root is member of
    the adm group as well.

AFAICS the big hole in this setup is that su doesn't time out. It relies
entirely on my remembering to end root shells. A possible solution seems
to have been available in idled[1]. That probably comes with its own
security problems though...

/M

1. http://www.darkwing.com/idled/

-- 
Magnus Therning                    (OpenPGP: 0xAB4DFBA4)
magnus at therning.org
http://therning.org/magnus

Software is not manufactured, it is something you write and publish.
Keep Europe free from software patents, we do not want censorship
by patent law on written works.

Imagine if every Thursday your shoes exploded if you tied them the usual
way. This happens to us all the time with computers, and nobody thinks of
complaining.
     -- Jef Raskin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050809/9cc7f13f/attachment.pgp>


More information about the ubuntu-users mailing list