Security of using sudo rather than su?

[Alan McKinnon]

On Thursday 14 September 2006 11:18, Adam Funk wrote:
> I've read the official explanation of the locked root account
> [1] and it still seems to me that this system can reduce
> security (in comparison with the traditional approach)
> because an attacker (especially a remote attacker) can gain
> root privileges by cracking one password (the main user's)
> rather than two (since normally root isn't allowed to log in
> over ssh).
>
> Why is this view wrong?

It's not wrong, but it's also not the end of the story - you are 
neglecting to consider what happens in a commercial/enterprise 
setup, or anything other than a simple personal workstation.

Consider a company's mail server. Traditionally, this would have 
a regular root account with a pasword. If an admin needed to do 
root stuff, then he'd su and have full root priviledges. The 
trouble with su is that it's all or nothing. If you need a 
junior person to have elevated permissions on that machine you 
have to give him full total unfettered root access AND YOU DO 
NOT HAVE MUCH OF A CHOICE ABOUT THIS. Now suddenly you have a 
grave security risk - a junior person has complete access to 
everything on that machine, not just the stuff you'd like him 
to have. sudo allows you to selectively assign root priviledges 
on a per user basis.

If you don't like the idea of having just one password for 
protection, there are things you can do to decrease the risk:

enforce strong passwords
use ssh keys
limit who is a member of the admin group
limit which machines can ssh in

Once you consider the full picture, which includes the humans 
involved and their strange willingness to reveal passwords for 
a candy bar, and the increased exposure offered by su, you 
quickly see that sudo is a superior system, as long as you 
don't do something dumb like set your password to "password".

And this subject has been thoroughly discussed to death on this 
mailing list and other places. 

alan