Security of using sudo rather than su?
Christofer C. Bell
christofer.c.bell at gmail.com
Thu Sep 14 21:58:05 UTC 2006
On 9/14/06, Felipe Alfaro Solana <felipe.alfaro at gmail.com> wrote:
> > Why is this view wrong?
> I don't know, but I agree with you:
> 1. First, I don't allow root login except locally on trusted consoles.
> 2. Second, I set a password for root.
> 3. Third, I configure sudo so that user's have to supply root password
> (not theirs).
> So, in order to get access, you need to guess:
> 1. One user name
> 2. That user's password
> 3. root's password.
No, either of two condtions to be true:
1. One user name
2. That user's password
1. root's password
This is because 'sudo -i' will work regardless of root having a
separate password or not. You decrease security by adding another
avenue of attack.
"I'm from the government and I'm here to help you."
More information about the ubuntu-users