Security of using sudo rather than su?

Mon Sep 18 08:16:26 UTC 2006

On 2006-09-18, Alan McKinnon <alan at linuxholdings.co.za> wrote:

> With sudo, the user has to prepend each command with the 
> word 'sudo'. Now some users might start doing that 
> automatically and use sudo without thinking about it (in the 
> same manner as some users blindly click OK through a series of 
> dialogs), but at least they have to type it and consciously 
> enter their password at least once, so there's some chance 
> they'll think a little about it.
>
> Contrast that with 'su' and keep in mind that Ubuntu's majority 
> user profile is general users on their own personal 
> workstation. Therefore the average user HAS the root password, 
> so to get root access to do valid root stuff like 'apt-get 
> install ... ' they will 'su -', and get a console where all 
> bets are off and they have unrestricted access. Now the 
> deterrent factor of sudo is gone and replaced with ... nothing.

I've come to agree with this except for two problems, which I'll
mention below.  And the default config for sudo means you don't (as I
had wrongly suspected) have to type the password over and over for
multi-step maintenance tasks.

$ sudo aptitute update  # enter your password
$ aptitude upgrade      # throws an error when you answer 'Y' because
                        # the command needs root privileges to work
$ sudo aptitude upgrade # you don't have to enter the password again
                        # unless you've waited too long

Problem 1: sudo executes the command directly and ignores aliases:
for example, `sudo rm foo/*` ignores "alias rm='rm -vi'".

Problem 2: it can be a bit of a pain to find and edit a file in a
directory readable only by root.  But this happens rarely, so I can't
remember a real example:

$ sudo emacs /etc/secret_config_dir/f<TAB>

[I can't remember the exact filename --- is it foobar.conf or
 fubar.conf? --- and tab completion doesn't work because
 /etc/secret_config has permissions 700 and ownership root.root]

$ sudo ls /etc/secret_config_dir
  fubar.conf fubar.conf.d

$ sudo ls /etc/secret_config_dir/fubar.conf 

[But at least now I can open the files in fubar.conf.d/ because emacs
 is running with root privileges!]

> I myself activate the root account on my own machines. 

So do I, but I'm learning to use su less and less.

> Like you, I understand the risks, but there's no ways I'd do it for
> the regular users I see around me. Ubuntu has made the best possible
> choice and compromise here - use the most suitable settings by
> default and give the pros the means to change it to something else
> if they want to.

I agree now.