[OT] sudo, why not su?

[MrKnisely]

David Woyciesjes wrote:

> sean at seanmiller.net wrote:
>
>>>     For example, how bad would it be if a user opened a terminal, typed
>>> 'su', ran a few quick tasks, then just walked away without typing 
>>> 'exit'?
>>
>>
>>
>> This should be the case, but do remember that if you do multiple sudo
>> commands there's a 5 minute period during which you don't have to 
>> re-enter
>> the password... so in a Ubuntu-esque scenario where you've decided to 
>> give
>> absolute power to the user that particular security risk is still there.
>
>
>     True, but it does time-out. So the risk is limited, compared to 
> using 'su'.
>
>> The more I think about it the more I am convinced that sudo should 
>> not be
>> being used like it is here... its whole purpose is to limit the commands
>> that users can run as root rather than empower them to be a virtual 
>> root.
>>
>> I guess that the solution to this particular security flaw is to make 
>> the
>> first user you set up on a Ubuntu system specifically a system admin 
>> user
>> rather than a named user... ie. "sysadm"... then they effectively become
>> root and you keep their username and password firmly out of the 
>> reaches of
>> anybody else who uses the system... every other user that you want to be
>> able to empower to perform specific tasks you explicitly grant that
>> command to in the /etc/sudoers file.
>>
>> Sean
>
>
>     Agree with you here. Ubuntu should limit, by default, what the 
> first user can do in the sudoers file.
>
If you are installing the system, which the fist user by definition must 
be, then that persion would need to put in the root password anyway.  
Therefore, it makes perfect sense for that username to be permitted, by 
default, to run any binary as root via sudo.

You wouldn't need to enter your own username there, you could create a 
administrator *gasp* user there to have that right.  Then you could 
create your own limited user after your everyday use.

MrKnisely