Security of using sudo rather than su?
Christofer C. Bell
christofer.c.bell at gmail.com
Thu Sep 14 22:00:29 UTC 2006
On 9/14/06, Christofer C. Bell <christofer.c.bell at gmail.com> wrote:
> On 9/14/06, Felipe Alfaro Solana <felipe.alfaro at gmail.com> wrote:
> > >
> > > Why is this view wrong?
> >
> > I don't know, but I agree with you:
> >
> > 1. First, I don't allow root login except locally on trusted consoles.
> > 2. Second, I set a password for root.
> > 3. Third, I configure sudo so that user's have to supply root password
> > (not theirs).
> >
> > So, in order to get access, you need to guess:
> >
> > 1. One user name
> > 2. That user's password
> > 3. root's password.
>
> No, either of two condtions to be true:
>
> 1. One user name
> 2. That user's password
>
> OR
>
> 1. root's password
>
> This is because 'sudo -i' will work regardless of root having a
> separate password or not. You decrease security by adding another
> avenue of attack.
Bah, ignore that. I missed your point #3. ;-) I wasn't aware that
you sudo allowed you to completely defeat the purpose of having it
installed in the first place.
--
Chris
"I'm from the government and I'm here to help you."
More information about the ubuntu-users
mailing list