LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
LinkBack Search this Thread
Old 04-18-2011, 03:35 PM   #1
hydepark2734
LQ Newbie
 
Registered: Jun 2010
Posts: 16

Rep: Reputation: 0
what's the big deal about sudo?


as far as i understand, sudo is used so the user won't use the root account and it's password.
but what is the difference?
let's say i installed a fresh copy of ubuntu, no root, just sudo that can do exactly the same as root, for better or worse.
even change the password for root.
i fail to understand how sudo is more safe then root.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 04-18-2011, 03:46 PM   #2
assi9
LQ Newbie
 
Registered: Mar 2011
Posts: 2

Rep: Reputation: 4
For a single user environment like Ubuntu sudo is pretty much moot...you are using the root password when you sudo.

Now picture yourself as a Linux admin, you guard your root password like you would guard a signed copy of Ninja Scroll. You don't loan it out to just anyone. So what to do when your two assistant admins need to do stuff as root? SUDO TO THE RESCUE! You add them to the sudo list! Go to the command line and type visudo then follow these directions http://www.go2linux.org/sudoers-how-to .

They can now use their own password to do things as root, but they will never know your own root password. Also there is some logging you can do to see what, when and how they are using that god-like privileged.

Get it now?

EDIT! Also...you can restrict the commands a sudoer can execute...for instance, you can add someone to the sudo user file, but only allow them to reboot or edit certain ip tables.

Last edited by assi9; 04-18-2011 at 03:58 PM.
 
4 members found this post helpful.
Old 04-18-2011, 03:53 PM   #3
Telengard
Member
 
Registered: Apr 2007
Location: USA
Distribution: Kubuntu 8.04
Posts: 579
Blog Entries: 8

Rep: Reputation: 147Reputation: 147
Typical use of sudo is for a single command at a time. The user should think a bit before performing actions which impact the entire system.

Typical configuration of sudo is to allow only certain users to perform actions as root.

Disallowing root login means the root account can't be brute forced.

None of these things by themselves is perfect. Taken all together they can represent an improvement in security in a carefully managed system.

For single user systems the sudo way may seem unnecessary. IMHO I'm glad to have one more reason to think carefully before performing actions which impact the entire system.

http://www.linuxquestions.org/questi...e-rise-866642/

https://help.ubuntu.com/community/RootSudo
 
2 members found this post helpful.
Old 04-18-2011, 03:56 PM   #4
gazzatav
LQ Newbie
 
Registered: Jul 2010
Location: Stockport UK
Distribution: Ubuntu
Posts: 6

Rep: Reputation: 3
I think it might help to understand that processes/programs that you run when you are logged on get your privileges.

In one scenario, imagine you run a program that has malicious code and it tries to install other software or make system changes, if you are logged on as root it can just go ahead and do it without asking. If you are logged in as a normal user that program would not inherit root permissions and you would be asked to supply a password for it to go ahead. So you only use sudo when you are confident that what you are doing is safe.

I hope that helps.

Last edited by gazzatav; 04-18-2011 at 04:01 PM.
 
3 members found this post helpful.
Old 04-18-2011, 06:21 PM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,093

Rep: Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995
As above, sudo was originally designed to

1. allow non-root user's to execute root level actions AND
2. restrict the use user to ONLY those actions/cmds specified in sudoers file AND
3. log the cmds used AND
4. have the user use his passwd, NOT root's.

However, Ubuntu has decided to bypass the nicely restrictive design and instead (by default) disable the root acct and automatically FULLY enable the first created non-root acct FULL access via sudo.
This is definitely non-std in the *nix world and causes confusion if such users later on meet a normal system.


Granted that for a single user system (especially at home) it may seem redundant, but it's still good security practice not to abuse it.
What happens if your user acct gets hacked; it can happen even on Linux...
 
4 members found this post helpful.
Old 04-19-2011, 05:33 AM   #6
hydepark2734
LQ Newbie
 
Registered: Jun 2010
Posts: 16

Original Poster
Rep: Reputation: 0
Well, if he get hacked, and has sudo permissions, it's quite a damage.
nevermind, thing are much clearer now.
the fact that the sudo users cant be limited is already makes much sense.
thanks for all the answers
 
Old 04-19-2011, 08:55 AM   #7
SL00b
Member
 
Registered: Feb 2011
Location: LA, US
Distribution: SLES
Posts: 375

Rep: Reputation: 111Reputation: 111
Another thing that's missing in the conversation is that a remote attacker knows the account name of root, so he can attempt a brute-force attack on that account.

To prevent that, you can disable remote login for the root account, and grant sudo access to your personal account. Now the attacker needs to add a near infinite combination of userids to his brute-force attack, adding orders of magnitude of difficulty to pop the box, and rendering the job all but impossible.

And this is why Ubuntu disables root and establishes your personal account as a sudoer with full root access. Ubuntu is a single-user distro, so the assumption is that the guy who installed it is the guy who needs full control.

Last edited by SL00b; 04-19-2011 at 09:02 AM.
 
Old 04-19-2011, 09:01 AM   #8
SL00b
Member
 
Registered: Feb 2011
Location: LA, US
Distribution: SLES
Posts: 375

Rep: Reputation: 111Reputation: 111
Quote:
Originally Posted by chrism01 View Post
As above, sudo was originally designed to

4. have the user use his passwd, NOT root's.
This is a typical use in a business environment, but it's not the only use. You can configure sudo to take the user's password, root's password, the target's password (if running a command as some account other than root, ex: sudo -u <userid>), or no password at all.
 
Old 04-19-2011, 09:39 AM   #9
baudrunner
LQ Newbie
 
Registered: Feb 2011
Posts: 7

Rep: Reputation: 0
root rhymes with moot

Sudo really is actually moot as a security measure, since anyone can change the root password at anytime simply by typing in 'sudo passwd root', then just enter one password for the next two password requests - user and unix paswords. Then, next time you go into terminal mode, just type in 'su' and enter the password you just created. After that, you are permanently in administrative - or, 'superuser' - mode, as you can see from the '#' prompt. To leave that mode, and the terminal, just keep typing in 'exit' until you are back on the desktop playing Mahjong.
 
0 members found this post helpful.
Old 04-19-2011, 10:05 AM   #10
SL00b
Member
 
Registered: Feb 2011
Location: LA, US
Distribution: SLES
Posts: 375

Rep: Reputation: 111Reputation: 111
Quote:
Originally Posted by baudrunner View Post
Sudo really is actually moot as a security measure, since anyone can change the root password at anytime simply by typing in 'sudo passwd root', then just enter one password for the next two password requests - user and unix paswords. Then, next time you go into terminal mode, just type in 'su' and enter the password you just created. After that, you are permanently in administrative - or, 'superuser' - mode, as you can see from the '#' prompt. To leave that mode, and the terminal, just keep typing in 'exit' until you are back on the desktop playing Mahjong.
1) This is true for internal users, not at all true for external users.
2) There's no need to go around hacking the root account when "sudo bash" will get you the same result.
3) If this scenario is a concern, sudoers can be denied the passwd command.
 
Old 04-19-2011, 02:53 PM   #11
Telengard
Member
 
Registered: Apr 2007
Location: USA
Distribution: Kubuntu 8.04
Posts: 579
Blog Entries: 8

Rep: Reputation: 147Reputation: 147
Quote:
Originally Posted by baudrunner View Post
since anyone can change the root password at anytime simply by typing in 'sudo passwd root'
That only works if said user is allowed to use sudo. On my own systems I am the only user allowed to use sudo. I can't speak for anyone else's configuration.
 
Old 04-19-2011, 08:55 PM   #12
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,093

Rep: Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995
The pt is that's only because Ubuntu does it wrong.
sudo should not be automatically available to anyone.

The idea of Unix is that you have root and you have other users. Other users have no access to root cmds.
Someone came up with sudo as a way to allow only specified users to use specified cmds only. These may or may not be root cmds, as noted above, but they would be cmds not normally available to the user.

Ubuntu decided to 'disable' root & default first user to sudo with full rights (and no passwd?). Thereby effectively making first user root.
You can fix this (and should imnsho) on Ubuntu.

On a 'single user' system, you can disable remote root login (a good idea generally) and use 'su -' or full sudo (both using root passwd), then any potential hacker has to guess your acct name and your passwd to get in, then guess the root passwd to go any higher.
Obviously you should have a 'good' passwd for root and for yourself.
 
Old 04-19-2011, 09:10 PM   #13
Telengard
Member
 
Registered: Apr 2007
Location: USA
Distribution: Kubuntu 8.04
Posts: 579
Blog Entries: 8

Rep: Reputation: 147Reputation: 147
Exclamation

Quote:
Originally Posted by chrism01 View Post
On a 'single user' system, you can disable remote root login
What remote login? Is there really a remote login service I'm supposed to disable somewhere? I can't find it.


Quote:
any potential hacker has to guess your acct name and your passwd to get in, then guess the root passwd to go any higher.
I like the sound of that.
 
Old 04-20-2011, 09:00 PM   #14
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,093

Rep: Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995
For ssh, /etc/sshd_config

http://www.openbsd.org/cgi-bin/man.c...nfig&sektion=5
Quote:
PermitRootLogin no
ie only allow remote login for yourself, the 'su - ' to get root locally.
Note that in that doc page there are plenty more things you can do to restrict who can login and from where etc etc

Last edited by chrism01; 04-20-2011 at 09:01 PM.
 
1 members found this post helpful.
Old 04-21-2011, 01:07 AM   #15
Telengard
Member
 
Registered: Apr 2007
Location: USA
Distribution: Kubuntu 8.04
Posts: 579
Blog Entries: 8

Rep: Reputation: 147Reputation: 147
Quote:
Originally Posted by chrism01 View Post
For ssh, /etc/sshd_config
I don't run sshd exactly because I don't need the potential security headache.
 
  


Reply

Tags
root login, sudo


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Firefox 4 a big deal LXer Syndicated Linux News 0 08-13-2010 11:10 AM
Why is Lisp such a big deal? joeBuffer Programming 16 08-26-2009 11:44 PM
LXer: OOXML: What’s the Big Deal? LXer Syndicated Linux News 0 02-20-2008 01:00 AM
Why Was 64 Bit Such Big Deal? carlosinfl General 3 04-08-2007 04:55 PM
Big deal with GRUB please help! drcyber Linux - Newbie 20 11-08-2004 04:56 PM


All times are GMT -5. The time now is 10:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration