Security of using sudo rather than su?

Paul Sladen ubuntu at
Thu Sep 14 22:12:55 UTC 2006

On Thu, 14 Sep 2006, Felipe Alfaro Solana wrote:

Hello Felipe,

Thank you for writing about some of your interesting ideas about using a
legacy 'su' setup.

> So, in order to get access, you need to guess:
> 1. One user name
> 2. That user's password
> 3. root's password.

Let's think about this:

  1. _Any_ username on the system.
     (An open terminal-window---or an insecure script running as
     the webserver gets you access as 'www-data'---will be fine).
  2. Likely we didn't need a password so far.
  3. One shared password got from any, of say ten, people who have been
     let into the administrator's super secret club.

Ten people knowing one password?  This is like telling ten people the
pin-number for your bank/credit card.  Think how fast gossip travels when
more than one person knows "a secret".

One bottle of alcohol, some bribery or similar gets you that shared
information *fast*.  If you didn't succeed with the first sys-admin, then
there are nine more attempts to try.

Neither is changing a shared secret fast.  Everyone needs to be re-informed
of the new code before they can use it.  Because of everybody sharing one
identify, there is no way to track down the leak---or even to detect that it
has occured.

Now... sudo asks the user to /prove/ that they /are/ who they say they are.  

That's a start on the way to real security.

High on a tall bridge, surrounded by noisy lorries.  Southampton, GB

More information about the ubuntu-users mailing list