lproven at gmail.com
Mon Jan 2 00:28:23 UTC 2012
On 1 January 2012 18:33, doug <dmcgarrett at optonline.net> wrote:
> On 01/01/2012 11:45 AM, Smoot Carl-Mitchell wrote:
>> On Sun, 2012-01-01 at 11:05 -0500, AV3 wrote:
>>> On Jan/1/2012 6:5435 AM, Earthson wrote:
>>>> root is disabled, and it does not have a passwd. if you really want to
>>>> use "root", just set a passwd for it.
>>> You can do this, but it is not a good idea. The major security advantage
>>> of Unix OS's over Windows is afforded by their disabled root accounts
>>> inaccessible to outside intruders. Keep it that way, unless you have a
>>> truly compelling reason to risk your root account's security for.
>> Very few attacks on Unix/Linux systems try and guess the root password.
>> Most attacks take advantage of known flaws in processes running with
>> root privileges. With a strong password it is nearly impossible to guess
>> the root password. So from a security standpoint having a password on
>> the root account is not opening up a lot of risk. Since using "su -" on
>> a host with a root password or "sudo -i" on a host with a locked root
>> account are functionally equivalent, why have a password on root which
>> you need to remember?
>> On the other hand logging in as root (or sudo -i to root) and doing all
>> your work as root is risky, since every program you run is at an
>> elevated privilege. If you download a program or execute an email
>> attachment as root, then all security bets are off. This BTW was the
>> major attack vector for viruses and worms into Windows systems before
>> they introduced a degree of privilege separation. sudo is a nice tool
>> which makes you aware of the programs you want to run with root
>> privileges. In my view it keeps you from doing really dumb things.
> I'm trying to learn something here: as I understand it, sudo
> gives you root privileges,
No, not quite.
> so what's the difference between
> su (password) and sudo (password)
"Su" stands for "super user". That means "root", normally, on Unix.
The "sudo" command means "superuser do" - in other words, do *one
command* as the superuser. So you type:
sudo cp /etc/fstab /etc/fstab.bak
... and it runs *that one command* as the superuser.
To do this, you need to supply /your own password/ and your account
needs to be in a group that permits you to do "sudo".
There is a handy loophole, though: if the thing that you do is run a
shell, then that shell runs as root and you can effectively become
root and run commands as root. That is what "sudo bash" does, and
because it's useful, there is a shortcut: "sudo -s", meaning, do the
action of opening a shell as the superuser.
The "su" command is completely different. It allows you to /become/
the superuser. When you type "su", you need to supply *root's*
password and then you become root until you end the session with
ctrl-D or "logout". *Your* password has nothing to do with it.
When you "su", you get a new shell. You can't run one command.
So "su" and "sudo" are totally different and do totally different
things. The correct comparison is between "su" and "sudo -s". They do
the same thing, but with one big difference: for "su", you need an
active root account and you need to know its password. For "sudo -s"
you need *your own* password and root can be left disabled.
Liam Proven • Profile: http://lproven.livejournal.com/profile
Email: lproven at cix.co.uk • GMail/G+/Twitter/Flickr/Facebook: lproven
MSN: lproven at hotmail.com • Skype/AIM/Yahoo/LinkedIn: liamproven
Tel: +44 20-8685-0498 • Cell: +44 7939-087884
More information about the ubuntu-users