Security of using sudo rather than su?
a24061 at yahoo.com
Thu Sep 14 17:39:52 UTC 2006
On 2006-09-14, Alan McKinnon <alan at linuxholdings.co.za> wrote:
> sudo suffers from a flaw as far as easy configuration is
> concerned - there are no sane defaults. i.e. if you try to come
> up with some sane defaults, you won't find any.
> It's up to the admin of a machine to consider the users and
> services on the machine and do the right thing for that setup.
> Hence the only possible default - members of the admin group
> can become root and do any root things they wish.
> Besides, security is a relative concept anyway, and those who claim
> that one of these models is better or worse than the other just
> because, usually has no foggiest idea of what they are talking about
> or what happens in real life.
Note: I wasn't claiming su was better than sudo --- I was asking for
> By example: every personal workstation I have looked into in the
> last year has had the SAME password for the main user and
> root. EVERY SINGLE ONE. The users say they get fed up having to
> remember more than one password.
> Some of them keep the same password on all machines for years...
I'm under the impression that forcing users to change passwords very
frequently (and I realize you're not necessarily advocating *frequent*
changes) is bad for security --- because the increased cognitive load
leads them to pick lower-quality passwords than they might otherwise
use and to try to rotate them (e.g. 4lm0nds1 -> 4lm0nds2 -> 4lm0nds3
and so on until the system will let them use the first one again).
More information about the ubuntu-users