Security of using sudo rather than su?
Christofer C. Bell
christofer.c.bell at gmail.com
Thu Sep 14 22:00:29 UTC 2006
On 9/14/06, Christofer C. Bell <christofer.c.bell at gmail.com> wrote:
> On 9/14/06, Felipe Alfaro Solana <felipe.alfaro at gmail.com> wrote:
> > >
> > > Why is this view wrong?
> > I don't know, but I agree with you:
> > 1. First, I don't allow root login except locally on trusted consoles.
> > 2. Second, I set a password for root.
> > 3. Third, I configure sudo so that user's have to supply root password
> > (not theirs).
> > So, in order to get access, you need to guess:
> > 1. One user name
> > 2. That user's password
> > 3. root's password.
> No, either of two condtions to be true:
> 1. One user name
> 2. That user's password
> 1. root's password
> This is because 'sudo -i' will work regardless of root having a
> separate password or not. You decrease security by adding another
> avenue of attack.
Bah, ignore that. I missed your point #3. ;-) I wasn't aware that
you sudo allowed you to completely defeat the purpose of having it
installed in the first place.
"I'm from the government and I'm here to help you."
More information about the ubuntu-users