Choosing a distribution

[Derek Broughton]

Paul Tansom wrote:

> whilst I can see some of the reasoning behind
> sudo reducing the risk, I don't see it as a major advantage. 

Absolutely not.  It's just one more small tool in an attempt to keep a
secure environment.

> I also find it very annoying when the tab completion of commands doesn't
> work because of the different environment between a user and root.

How is that solved by not using sudo?  In fact, my user and root have the
same tab completion - it's when I try to do something as "mail" or "nx" or
some other system user that I invariably have trouble with this.


> As far as security goes, I can see more arguments against sudo for
> security. By enabling extra accounts to have access to root privileges
> via sudo you increase the number of accounts that could potentially be
> cracked and hence give the intruder root access. 

No, that's completely wrong - unless you give everybody access to
everything, and even then it still means that the intruder has to find a
user with root access and then find their password.  If every user who
needs root access has the password, you already know the user ID and the
chance of cracking the password must increase exponentially with the number
of people who share it.  However, with sudo you can give someone who needs
to administer printers access to cups.  The network admin can have access
to network commands, etc.  Nobody needs access to _everything_.

> Multiple people with 
> multiple views on what constitutes a secure password (within your
> enforced standars of course). With a single root account that you need a
> password to access you have an extra stage to go through and an extra
> password to crack before you get root access. 

No you don't.  You have _one_ password to crack - and it's shared, so
_somebody_ has written it down.

> As far as knowing the 
> account name to try to attack, who ever allows root login access except
> via the console? 

Unfortunately, many...
> By using sudo you have actually open up accounts that 
> have root access and are remotely accessible - exactly the opposite of
> what a lot of people argue!

If you have given them the root password, they just log in as themselves and
do "su".  No difference.
> 
> I can see the logging advantages, and clearly the problems with handling
> a single account/password shared by mulitple users is not a good way of
> working. What is really needed is a sudo style access that requires a
> different password to your usual login password, but different for each
> user, 

That's not an outrageously bad idea...

> and the ability to log even from a root privilege capable shell. 

That, otoh, would be a really great addition - since we already have the
facility to record commands in the bash history, I don't know why we
couldn't tap into that to log the commands to somewhere secure (though, how
much can really be secure when you're root?)

> Both the single root account and sudo fail fully satisfy root access
> requirements, but for me, on a single admin box, I tend to prefer a
> single root account on the basis of better security.

Sorry, that's just not supportable, and your arguments so far haven't shown
any reason it would be true.
-- 
derek