Su vs Sudo
Hi.
I recently installed Debian in VirtualBox. During install there's a section where you can make a password for the root account but if you leave it blank, it instead gives your regular user sudo ability. Ubuntu and some other distros allow sudo by default. Is there a problem to only using sudo and never using su? Thanks. |
No.
|
This topic has been beaten to death, I suggest reading up on it. My opinion:
On a multi-user system, sudo is a very powerful tool. It's designed to allow SPECIFIC users to run SPECIFIC commands without requiring root access. This has the overall effect of increasing security since it means the master root password is in fewer hands and accessed less often. The system admin simply needs to ensure that only those commands that are truly necessary for a user to do their job AND are low-risk are handed out, and that those users have secure passwords. On a multi-user system, handing out unlimited sudo access to any regular user is a BAD idea. Many of the protections that are put in place to keep a system from being compromised, such as preventing ssh access to the root account, are voided. In addition, since it's a regular user account with a password that needs to be entered on a semi-regular basis, chances are the password will be less complex, possibly even written down on a scrap of paper on the person's desk, re-used across the network, used on websites that could be compromised, etc. It opens up the system to a multitude of attack vectors. On a single-user system, one might make the argument that having a dedicated root account is just a waste of time, but I still feel that granting any regular user unlimited sudo access is a mistake for the reasons mentioned above, and I do not do it on any of my systems. Even on Ubuntu/Mint, the first thing I do is enable the root account and shut off sudo access for my personal account. |
I hope that's a qualified "No" since "su" has switch options that sudo does not, afaik.
|
Quote:
Code:
-f, --fast |
In way-too-many systems (and, every Macintosh ...), "administrative" users are members of the wheel group, and are able to issue the command sudo su to gain root-level privileges using their own(!) passwords.
Lesson: "leave your Superman suit in the closet!" Unless you are actively performing system maintenance, do not log in to any account that is capable of issuing this command. Your "ordinary, day-to-day" account should be non-privileged. |
Quote:
|
Quote:
|
I think I'll stay with just 'sudo'. :-)
|
Quote:
|
Quote:
(Oh yeah - I'd consider that a "good to know." ;) ) |
I only use 1 account on my PC so multiple root logins cannot happen. ;-)
|
Everything is there for a reason.
Making it impossible to log in directly as root enhances security. Let someone try to log in as root with a dictionary based password cracker, and they may eventually get in. Change ' may eventually' to " will never" if root logon is disabled.
There is NOTHING that su can do that sudo cannot, if 'sudo su' is enabled. One difference is that sudo leaves a clearer 'paper trail' in a separate log. Another is that it allows for much finer controls. It is not a 'one or the other' choice: BOTH of them are used on all of my Linux systems at home and work. Each has a proper place and purpose on EVERY system. Afterthought: perhaps not on a simple proof of concept virtual machine where security is irrelevant and it will be quickly blown away. |
Quote:
So you have no root password on your system, cool, however what do you login with via SSH? You user? so when that gets cracked, what is the difference between root and sudo -i? or sudo su? the answer is nothing. In fact, using a root account is more secure then using sudo and here is why: 1) sshd by default doesn't allow root to login, so if the admin was smart about this his account would be a totally normal account without sudo access and when its required just su to root. 2) Using this the attacker actually has to crack two accounts not just a user who is prevleged... its just a weak argument against having a root account.. 3) This is Windows security through obscurity bs, sudo only exists because ubuntu wanted to Windowize Linux to being it closer to the masses (which it didnt do). Quote:
|
Quote:
Limiting Root Access See your own distro's docs for more specific actions. |
All times are GMT -5. The time now is 11:07 AM. |