Security of using sudo rather than su?

Christofer C. Bell christofer.c.bell at gmail.com
Thu Sep 14 21:58:05 UTC 2006


On 9/14/06, Felipe Alfaro Solana <felipe.alfaro at gmail.com> wrote:
> >
> > Why is this view wrong?
>
> I don't know, but I agree with you:
>
> 1. First, I don't allow root login except locally on trusted consoles.
> 2. Second, I set a password for root.
> 3. Third, I configure sudo so that user's have to supply root password
> (not theirs).
>
> So, in order to get access, you need to guess:
>
> 1. One user name
> 2. That user's password
> 3. root's password.

No, either of two condtions to be true:

1. One user name
2. That user's password

OR

1. root's password

This is because 'sudo -i' will work regardless of root having a
separate password or not.  You decrease security by adding another
avenue of attack.

-- 
Chris

"I'm from the government and I'm here to help you."




More information about the ubuntu-users mailing list