All parties in the matter of Sudo v. Root Account please rise...
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
View Poll Results: Do you use sudo or the root account to gain root privileges?
In my opinion, as SL00b said, using 'sudo su -' or 'sudo bash' does the same that su does. On top of this, if you don't want the security risks associated with allowing multiple users full sudo access, just configure PolicyKit to use sudo (as Ubuntu does) and configure the users (other than you) to have certain admin rights, such as mounting/unmounting devices, but not others, for example deleting files or installing/removing software (though you might want those users to be able to install updates). This way, your system remains secure and you can still weigh the benefits of sudo access against the risks.
I use su to switch to root for admin stuff and when I'm done, I return to normal user. Just old school I guess.
I also do su -c "some command" which is similar to sudo command
I have nothing against sudo. As for a policy, I don't need it. I'm the only one in the family that uses linux. My family uses that proprietary OS called windows.
Last edited by RedNeck-LQ; 03-08-2011 at 10:16 PM.
su works just fine for me. I have no desire to install/use sudo.
Quote:
Originally Posted by Kenny_Strawn
I think that using sudo is more secure than the root account for the same reasons that the Ubuntu developers think so: because the root account is a prime target for password crackers.
Removing the root password and using sudo for everything (the "sudo says" method) just shifts the main weak point from the root password to the user password, and IMO that's effectively less secure, unless you have something particularly cryptic for your user password.
I've been using Linux a long time and before that Unix. I have never understood this apparent evilness of using root. Logging in as root is not a bad thing. You will not catch the plague.
I have been doing it for years. I log in, take care of business and log out. Using sudo or su - root is only a convenience thing for me that allows me to do rooty things while logged in as me. It also allows other users to do rooty things without having access to root. That access is mine and mine alone.
Last edited by chrisretusn; 03-09-2011 at 07:49 AM.
I mainly use su, sometimes login as root, and rarely use sudo. In your two way poll of sudo vs. login as root, I don't know where su was supposed to fit. I answered "log in as root" because I think that is where su ought to fit.
Have a password with Uppercase/Lowercase/Numerals/Symbols that is at least 16 digits long. Then restrict password guesses to 3 at a time with a 5 minute timeout. Lock the server in a server case, that is locked in a room, that is locked in a building. Make sure to have an IDS like Snort. Make sure to have a traffic analyzer like wireshark/tcpdump. Use a syslog server/collector like Splunk. Review your logs every day. Change passwords tri-monthly at maximum.
These simple steps should allow you to log in as root without -too much- worry of someone compromising your system using brute-force password guessing.
Removing the root password and using sudo for everything (the "sudo says" method) just shifts the main weak point from the root password to the user password, and IMO that's effectively less secure, unless you have something particularly cryptic for your user password.
Actually, it's more secure, because you can't brute-force attack a userid if you don't know a valid userid.
Have a password with Uppercase/Lowercase/Numerals/Symbols that is at least 16 digits long. Then restrict password guesses to 3 at a time with a 5 minute timeout. Lock the server in a server case, that is locked in a room, that is locked in a building. Make sure to have an IDS like Snort. Make sure to have a traffic analyzer like wireshark/tcpdump. Use a syslog server/collector like Splunk. Review your logs every day. Change passwords tri-monthly at maximum.
These simple steps should allow you to log in as root without -too much- worry of someone compromising your system using brute-force password guessing.
You forgot remove any kind of remote root login. No need to login remotely as root - at least make them guess a valid username before they can start trying to guess the password
I login as root when needed, but then I'm not a sys admin or IT guy and the boxes are generally throw away lab machines.
Its a balance of risk, security, ease of use.
Now on my machines at home, we run as unprivileged users and I grant elevated access(sudo, runas) when needed. I guess you can say that in that case I am working as IT/sysadmin, so lock things down more. Also, the assets on my home machine are more valuable and possibly even at a greater risk that the assets I manage at work.
You forgot remove any kind of remote root login. No need to login remotely as root - at least make them guess a valid username before they can start trying to guess the password
Good point this
And also, anytime that root logs in, sendmail should send out a page to you saying "Someone has just su'd or logged in as root on xxx.xxx.xxx.xxx"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.