Choosing a distribution

Paul Tansom paul at aptanet.com
Wed Nov 7 15:00:08 UTC 2007 

** Derek Broughton <news at pointerstop.ca> [2007-11-06 17:35]:
> Paul Tansom wrote:
<<snip>>
> > I also find it very annoying when the tab completion of commands doesn't
> > work because of the different environment between a user and root.
> 
> How is that solved by not using sudo?  In fact, my user and root have the
> same tab completion - it's when I try to do something as "mail" or "nx" or
> some other system user that I invariably have trouble with this.

When I first tried using sudo, quite some years ago now, I found that
tab completion didn't work at all. After a while I realised that this
was largely due to the fact that the commands I was trying to use
weren't in the path for a user account, just root. By the looks of
things this isn't as much of an issue on Ubuntu, but given that I've not
bothered with sudo I haven't noticed. Ubuntu looks to have added the
sbin directories into the user path.

> > As far as security goes, I can see more arguments against sudo for
> > security. By enabling extra accounts to have access to root
> > privileges via sudo you increase the number of accounts that could
> > potentially be cracked and hence give the intruder root access. 
> 
> No, that's completely wrong - unless you give everybody access to
> everything, and even then it still means that the intruder has to find
> a user with root access and then find their password.  If every user
> who needs root access has the password, you already know the user ID
> and the chance of cracking the password must increase exponentially
> with the number of people who share it.  However, with sudo you can
> give someone who needs to administer printers access to cups.  The
> network admin can have access to network commands, etc.  Nobody needs
> access to _everything_.

You mean the way Ubuntu has it configured then. The standard setup looks
to be to allow access to everything via sudo. I tend to forget that it
can actually be tied down, so as you say, if used properly it is another
tool to make things more secure. In practice perhaps it is another one
of those badly used tools that often has the opposite effect.

> > Multiple people with multiple views on what constitutes a secure
> > password (within your enforced standars of course). With a single
> > root account that you need a password to access you have an extra
> > stage to go through and an extra password to crack before you get
> > root access. 
> 
> No you don't.  You have _one_ password to crack - and it's shared, so
> _somebody_ has written it down.

Sorry, I'll disagree there. You have to crack the user password to get
access to the system, then you have to crack the root password. Of
course here I'm making the assumption that you've disabled remote root
login, much like you've assumed with sudo that you are using it to limit
to a command level. I'd argue that my assmuption is more reasonable
since it is a one time configuration change that needs no further
management. I can't remember whether it is standard for Debian and
Ubuntu unfortunately.

> > As far as knowing the account name to try to attack, who ever allows
> > root login access except via the console? 
> 
> Unfortunately, many...

See above :)

> > By using sudo you have actually open up accounts that have root
> > access and are remotely accessible - exactly the opposite of what a
> > lot of people argue!
> 
> If you have given them the root password, they just log in as
> themselves and do "su".  No difference.

True, but with sudo you use the password you've just cracked to get in,
and with a root account you use a different password that now needs
cracking as well.

> > I can see the logging advantages, and clearly the problems with
> > handling a single account/password shared by mulitple users is not a
> > good way of working. What is really needed is a sudo style access
> > that requires a different password to your usual login password, but
> > different for each user, 
> 
> That's not an outrageously bad idea...

With calmly managed differenced of opinion they sometimes happen. With
flame war types people tend to get entrenched on one side or the other
and less often consider the other side of the argument properly :)

> > and the ability to log even from a root privilege capable shell. 
> 
> That, otoh, would be a really great addition - since we already have
> the facility to record commands in the bash history, I don't know why
> we couldn't tap into that to log the commands to somewhere secure
> (though, how much can really be secure when you're root?)

One thing I keep meaning to look into is where multiple historys are
logged. If I log into a box with multiple shells each has its own
history, but when I log back in again only one is there. I've not
investigated further where they are logged to temporarily.

> > Both the single root account and sudo fail fully satisfy root access
> > requirements, but for me, on a single admin box, I tend to prefer a
> > single root account on the basis of better security.
> 
> Sorry, that's just not supportable, and your arguments so far haven't
> shown any reason it would be true.  -- derek

Well, they both fail to log adequately from a shell, whether you access
that via sudo or root. Sudo, in my opinion, lacks a level of security by
virtue of only having a single password shared between the user and root
privilege. Using root lacks a level of security by having a shared
password between multiple users.

Taking the above into consideration, with a single administrator, I
consider the root account more secure since the user account would have
to have all root privileges, and thus you fall back onto a single
remotely accessible password to gain full root access.

With a multi administrator setup I would probably go for a dual user
account situation. The user account has no sudo privileges, but does
have remote access. Then each administrator has a secondary
administration account that is not remotely accessible into which they
su. These accounts then have sudo privileges as required. If you must
give a remotely accessible user account sudo privileges I'd enforce a
strict password policy in terms of regular changes, password length and
format.

I guess that last paragraph indicates that this thread has made me think
about the use of sudo again, and my views have been revised, even if not
majorly :)

It is a while since I worked in a large enough organisation to worry
about multiple administrators though, and back then it was a mix of
OS/2, NT4 and AIX!
** end quote [Derek Broughton]

-- 
Paul Tansom | Aptanet Ltd. | http://www.aptanet.com/ | 023 9238 0001
======================================================================
Registered in England  |  Company No: 4905028  |  Registered Office:
Crawford House, Hambledon Road, Denmead, Waterlooville, Hants, PO7 6NU

More information about the ubuntu-users mailing list