Choosing a distribution

Paul Tansom paul at aptanet.com
Fri Nov 9 14:29:51 UTC 2007 

** Derek Broughton <news at pointerstop.ca> [2007-11-07 17:24]:
> Paul Tansom wrote:
> > ** Derek Broughton <news at pointerstop.ca> [2007-11-06 17:35]:
> >> > As far as security goes, I can see more arguments against sudo for
> >> > security. By enabling extra accounts to have access to root
> >> > privileges via sudo you increase the number of accounts that could
> >> > potentially be cracked and hence give the intruder root access.
> >> 
> >> No, that's completely wrong - unless you give everybody access to
> >> everything, and even then it still means that the intruder has to find
> >> a user with root access and then find their password.  If every user
> >> who needs root access has the password, you already know the user ID
> >> and the chance of cracking the password must increase exponentially
> >> with the number of people who share it.  However, with sudo you can
> >> give someone who needs to administer printers access to cups.  The
> >> network admin can have access to network commands, etc.  Nobody needs
> >> access to _everything_.
> > 
> > You mean the way Ubuntu has it configured then. The standard setup looks
> > to be to allow access to everything via sudo. 
> 
> That's true of _one_ user.  If you have a root user, that's _still_ true of
> one user.  All other users have only what you give them.

I guess I'm working on the basis of my own configurations where the one
user being root is one user without remote login access, whereas with
the default Ubuntu setup I'm considering that the one user has remote
access. That said this is based on the Ubuntu I have installed here
which is configured as a desktop machine, as Ubuntu was for the majority
of the time I ignored it, and this has no SSH server installed, so it is
a bit of a moot point :)

<<snip>>
> >> > By using sudo you have actually open up accounts that have root
> >> > access and are remotely accessible - exactly the opposite of what a
> >> > lot of people argue!
> >> 
> >> If you have given them the root password, they just log in as
> >> themselves and do "su".  No difference.
> > 
> > True, but with sudo you use the password you've just cracked to get in,
> > and with a root account you use a different password that now needs
> > cracking as well.
> 
> It doesn't follow.  You're claiming "increased" security by use of a root
> password, but then basing it all on somebody hacking your system.  The fact
> is almost all security violations will occur either _by_ users who already
> have legitimate access to your system, or by them compromising their own
> accesses.  The root to increasing security, then, is granularization -
> limit what authorized users can do, where they can do it, and how.

OK, here I'm working on the basis that if you have a user account that
is compromised and has sudo access then the machine is root compromised.
If you are working with a setup that requires the use of su to another
account (root or an additional admin capable user account then using
sudo as per my last email), the attacker has another level of password
to crack to fully compromise the machine. If, again as per my previous
email, you are using an intermediate user admin account (instead of
root) then you have another facility, as you have pointed out, to reduce
the level of access that sudo provides.

> >> > Both the single root account and sudo fail fully satisfy root access
> >> > requirements, but for me, on a single admin box, I tend to prefer a
> >> > single root account on the basis of better security.
> >> 
> >> Sorry, that's just not supportable, and your arguments so far haven't
> >> shown any reason it would be true.  -- derek
> > 
> > Well, they both fail to log adequately from a shell, whether you access
> > that via sudo or root. 
> 
> I knew as soon as I posted that, I should have trimmed a bit more - I agree
> on the logging issue.  I disagree only with the last phrase "on the basis
> of better security".

I guess I am basing my views on the fact that I have rarely been in the
position where I have needed to provide admin access to other people,
thus the key problem of a shared password is not an issue. Thus I would
be using a sudo configuration with full access, since there would be
little point in having to log in as a different user to perform
different admin tasks (I'd be forever logging in and out, or have
multiple logins under different accounts in different windows - although
it could in some cases reduce the risk of finger trouble, or brain to
finger data corruption!). Thus in my situation I stand by preferring the
single root account "on the basis of better security" because it adds
another password between a remotely accessible account and the one with
full access.

As I outlined in my last post, this thread has made me think about a
multi administrator setup, and I would almost definitely use a sudo
setup for this, but one that emulates a multi-root account setup - with
the bonus of the ability to restrict what can be done, but with the
annoyance of having to remember to type sudo before each command :) **
end quote [Derek Broughton]

-- 
Paul Tansom | Aptanet Ltd. | http://www.aptanet.com/ | 023 9238 0001
======================================================================
Registered in England  |  Company No: 4905028  |  Registered Office:
Crawford House, Hambledon Road, Denmead, Waterlooville, Hants, PO7 6NU

More information about the ubuntu-users mailing list