Security of using sudo rather than su?

[Adam Funk]

On 2006-09-14, Alan McKinnon <alan at linuxholdings.co.za> wrote:

> It's not wrong, but it's also not the end of the story - you are 
> neglecting to consider what happens in a commercial/enterprise 
> setup, or anything other than a simple personal workstation.
>
> Consider a company's mail server. Traditionally, this would have 
> a regular root account with a pasword. If an admin needed to do 
> root stuff, then he'd su and have full root priviledges. The 
> trouble with su is that it's all or nothing. If you need a 
> junior person to have elevated permissions on that machine you 
> have to give him full total unfettered root access AND YOU DO 
> NOT HAVE MUCH OF A CHOICE ABOUT THIS. Now suddenly you have a 
> grave security risk - a junior person has complete access to 
> everything on that machine, not just the stuff you'd like him 
> to have. sudo allows you to selectively assign root priviledges 
> on a per user basis.

Absolutely --- that's the sort of situation that sudo was intended
for!, isn't it?  But the Ubuntu default --- for the simple personal
workstation --- is

  %admin ALL=(ALL) ALL

which is quite different.


> If you don't like the idea of having just one password for 
> protection, there are things you can do to decrease the risk:
>
> enforce strong passwords
> use ssh keys
> limit who is a member of the admin group
> limit which machines can ssh in
>
> Once you consider the full picture, which includes the humans 
> involved and their strange willingness to reveal passwords for 
> a candy bar, and the increased exposure offered by su, you 
> quickly see that sudo is a superior system, as long as you 
> don't do something dumb like set your password to "password".

All good points, of course.