All parties in the matter of Sudo v. Root Account please rise...
 

What do you use to gain administrative privileges on your Linux system?

I used to use sudo but now with ArchBang I have no choice but to log in as root. However, I think that using sudo is more secure than the root account for the same reasons that the Ubuntu developers think so: because the root account is a prime target for password crackers. Because password crackers know that there is an account named "root" and that it is administrative, they will attempt to crack its password before they crack any other password. What is your detailed opinion?

What are the detailed explanations for your votes, those besides me who voted?

Archbsng does have a sudoers file, why can't you use it?

I use su and sudo su most often. I never login as root, because I can stroll about happily destroying my system if I don't pay attention to file management.

Kubuntu is my Linux of choice, so I use sudo most of the time. On a few occasions I have found it convenient to have a root shell, and Kubuntu includes a terminal sessions option for exactly that.

I guess if I were on Slackware or LFS I'd login as root with a really, really strong password. And that would be fine too.

As for which is better, I really think it depends on your security needs. For a single user desktop system I'm pretty sure I like sudo better. Multi-user systems and headless servers may be otherwise.

If the root login is available and if I have lots of administrative stuff to do (as when setting up a new system), I prefer to login as root, do my root stuff, and get out.

For the occasional tasks, I would rather su than sudo--enter my password once, do the tasks, get out.

Sudo is a nag.

I consider it sad that Ubuntu has managed to convince a large contingent of computer users that a root login is somehow inherently unsafe. Having adequate security and distrusting your users are, to my mind, not the same thing.

And if I break something, then I fix it. That's how I learned the little bit I know about vi.

I started with Slackware. No doubt that has colored my views.

I use Debian and during setup you have an option to set up a Root account along with your normal user account. I setup both. If I need to use a terminal I can either use the Root terminal or the regular terminal. I generally just choose the Root terminal as it is simpler for me.

When I was using Ubuntu I become used to sudo and its graphical version gksudo so it didn't bother me. Now I use Debian I like being able to go straight to Root.

I create a root acct and use su- to login as root, and exit out when done!

You need a "both" option to your poll. If I've got a common one-off command I use a lot, I'll set it up in sudoers so I can use sudo. However, sometimes I need to do a variety of tasks, in which case I pop open a terminal and log in as root.

i would much rather use sudo to gain admin rights on my servers for one main Reason if a admin staff member gets fired all i have to do is disable his account and remove him from the group that can use sudo but if i had to give users the root password that needed admin rights every time one left i have to change the password.

I also would like to see a "both" option added to the poll. "Carpenters, which do you use: a hammer or a saw?" :)

I use su to do administrative tasks, and sudo for some tasks that are not really administrative, like mounting ISOs or reboot the system.

I personally find it a myth that a root account is a security risk. Crackers can only hack into your root account if you let them do that. That means that you have to have a running daemon that allows logins, for example SSH, and that it must be configured to allow root logins with a password.
Everyone that is aware of the risks would never allow root-logins with password, either it is disabled at all to login as root from a remote machine or only allowed with a GPG-key.

I use sudo for everything, because "sudo bash" is the same as "su", only now I don't have to worry about knowing any password other than my own.

Root is not the root of all evil.;)

I log as root all the time, especially on my server, most of what I want to do requires root privileges. I even on occasion startx from my root account. :eek:

Your poll left out "su -".

I use "su -" or when I feel like it, "su - root" most often when I am on my normal use machine running KDE and don't want to drop out to the CLI.

Every now and then I use sudo.

I voted "log in as root" even though I use three methods to gain root privileges; log in as, su -, sudo.

Then 11 people are not following best practices. Use only the lowest permission to do the job. sudo is that.

Now I do use su to change users.

In my opinion, as SL00b said, using 'sudo su -' or 'sudo bash' does the same that su does. On top of this, if you don't want the security risks associated with allowing multiple users full sudo access, just configure PolicyKit to use sudo (as Ubuntu does) and configure the users (other than you) to have certain admin rights, such as mounting/unmounting devices, but not others, for example deleting files or installing/removing software (though you might want those users to be able to install updates). This way, your system remains secure and you can still weigh the benefits of sudo access against the risks.

I use su to switch to root for admin stuff and when I'm done, I return to normal user. Just old school I guess.

I also do su -c "some command" which is similar to sudo command

I have nothing against sudo. As for a policy, I don't need it. I'm the only one in the family that uses linux. My family uses that proprietary OS called windows.

su works just fine for me. I have no desire to install/use sudo.

Removing the root password and using sudo for everything (the "sudo says" method) just shifts the main weak point from the root password to the user password, and IMO that's effectively less secure, unless you have something particularly cryptic for your user password.

root gui login or sudo

nether .I use "su -"

+1 to that. If I need to do maintenance or install globally, I use su -

I've been using Linux a long time and before that Unix. I have never understood this apparent evilness of using root. Logging in as root is not a bad thing. You will not catch the plague.

I have been doing it for years. I log in, take care of business and log out. Using sudo or su - root is only a convenience thing for me that allows me to do rooty things while logged in as me. It also allows other users to do rooty things without having access to root. That access is mine and mine alone. :)

I mainly use su, sometimes login as root, and rarely use sudo. In your two way poll of sudo vs. login as root, I don't know where su was supposed to fit. I answered "log in as root" because I think that is where su ought to fit.

Have a password with Uppercase/Lowercase/Numerals/Symbols that is at least 16 digits long. Then restrict password guesses to 3 at a time with a 5 minute timeout. Lock the server in a server case, that is locked in a room, that is locked in a building. Make sure to have an IDS like Snort. Make sure to have a traffic analyzer like wireshark/tcpdump. Use a syslog server/collector like Splunk. Review your logs every day. Change passwords tri-monthly at maximum.

These simple steps should allow you to log in as root without -too much- worry of someone compromising your system using brute-force password guessing.

su - :)

Actually, it's more secure, because you can't brute-force attack a userid if you don't know a valid userid.

depends on the situation, either sudo or su then do the task, so yeah, both, mostly sudo though.

For me, it's the option you left out: su -

Logging in as root means too much logging in and out. Sudo means having to set up the facility in the first place: why bother when I can use "su"?

You forgot remove any kind of remote root login. No need to login remotely as root - at least make them guess a valid username before they can start trying to guess the password :)

I login as root when needed, but then I'm not a sys admin or IT guy and the boxes are generally throw away lab machines.
Its a balance of risk, security, ease of use.

Now on my machines at home, we run as unprivileged users and I grant elevated access(sudo, runas) when needed. I guess you can say that in that case I am working as IT/sysadmin, so lock things down more. Also, the assets on my home machine are more valuable and possibly even at a greater risk that the assets I manage at work.

Good point this :)

And also, anytime that root logs in, sendmail should send out a page to you saying "Someone has just su'd or logged in as root on xxx.xxx.xxx.xxx"

I can do a remote login as root to my machines. But since I do not use a password for that, I wish you good luck and no boredom for the try to brute force that login. Or just a mainframe (or two).

I don't need to. All I need to do is pop the box you're logging in remotely from, and steal your public key.

In FreeBSD, you cannot log in as root even if you know the password. You have to be in the wheel group.

Being new to the whole linux movement, I take the path with the least resistance, su, sudo or root login.

su -c 'command options'
until I realize I need to execute multiple commands
su
or until I realize I just want to log in and do a whole session as root

then I very neatly clear my console window with:
exec reset

You shouldn't be using anything whose kernel is BSD instead of GPL in the first place, as it can be used by companies to make proprietary forks (like Apple for instance).

Sure, the Chromium browser may also be based on the BSD license, but the rest of the OS is GPL.

LOL, wait a minute, you are using Android and ChromeOS, but recommend to not use an OS that has a BSD-license?
I couldn't really take you serious before this post, but now I know that I really shouldn't.

+1...

Only at the kernel level. Chrome OS and Android have the B$D license at the user level. If the kernel is B$D, that means that the whole OS can be forked into a proprietary version. In Chrome OS, only the browser can be forked into a proprietary version, and in Android, only Dalvik and above can be forked into a proprietary version.

And what makes that for a difference? ChromeOS without Chrome. Android without it's userland? Wouldn't that be useless?

Not really. And Android is the Apache License anyway. However, that's beside the point. Chrome OS without Chrome would just be Ubuntu JeOS with X and some added commands. Put Unity (and GNOME) back on it, and you've just turned it back into Ubuntu. And with Android? Programmers can still fork the version of Android without its userland using IcedTea (for instance) to create a FOSS alternative to Dalvik that is still compatible with Android apps. My point being: As much as someone tries to close something up, unless the kernel is partially closed, developers can easily fork the open source portion into something usable.

The Apache license is somewhat similar to the BSD license.
And would it run the ChromeOS apps? If ChromeOS becomes closed, I doubt so.
Do you really think that it would be easy to write an Android-clone? How many developers are actually working on Android? And if you close Androids userland, do you really think it will be difficult for Google to make it so that the apps will not run on a clone?

First of all, even with something as permissive as the B$D license, you can't just take something that is open source and make the whole thing proprietary. You would have to open up some code, even if it may be nothing at all. And Google is usually generous enough to open up a lot of code (which they do; Chromium is no more different from Chrome than CentOS [or more properly Fedora] is from RHEL as I have said), so that argument is moot. And Chrome OS apps are mostly Web apps, so they can run from any browser and therefore any OS.

However, can we get back on topic please?

When I wish to perform some task sudo works just fine, besides I feel more secure in NOT going into root (I forget to remove privileges LOL)

I don't think much about licenses when using operating systems because I don't understand the legal mumble jumbo of them.

To me an OS is an OS regardless of license type.

This all really depends on the setting this vote is based on. My assumption is the OP is asking whether you prefer logging in as root, or logging in as your user account and using sudo to perform tasks in a corporate or otherwise "best security is needed" environment.

If that assumption is correct, as far as security goes, sudo hands down kills logging as root in my rule-book. Sudo allows you to set only certain admin commands to a user account, i.e. permissions to only add users, but can't delete them, etc. So you can fine-grain who can do what on your box. Give them the root password? There's not much control you have over what they can do once they log in!

I think you're all missing a key factor of logging in as root vs using sudo from a user account: when you sudo, your user login name and EXACT command that was run are logged in /var/log/secure each time you sudo something(I'm speaking from a Redhat/Fedora based standpoint....not sure how the other distros handle this).

At my company, on our Windows workstations, the same thing happens. The default Administrator account is disabled and a user account is created with Admin privileges to the local machine due to the previously mentioned reason other posters gave. EVERYONE knows a Windows box has an Administrator account, so they already have one-half of the equation to gain access to your machine by leaving it enabled. Will they have as much luck with a admin-enabled user account named hugo64? Maybe...if they figure out hugo64 is an actual account we use!!! (No...hugo64 is not real folks...at least not for my company :-) ).

Same thing with Linux, root is a known username, with known privileges to do whatever it wants. How many accounts can do 'rm -rf /' without any complaints from the system? First thing I'd suggest doing is try to limit this do-anything power if possible!

As far as our personal servers at home are concerned, use whatever gives you that 'fuzzy' feeling! It's 10x easier to login as root and perform the needed tasks. On my company's machines? You're going to need a damn good reason to get the root password, where I can give you a sudo permission to ONLY what you need to use, and can see the commands you tried to run on my box with sudo permissions. Just saying.

Here's an example of some output from the /var/log/secure file, with the X's meaning stuff I've removed:

so as you can see, I can pull this log up and see what you've been doing during your session. Obviously, if this file's been compromised I'm SOL, but I have...backups in place I use to ensure I get this information. Not giving out all the secrets!

So in closing, if we're talking personal home servers, this all doesn't matter. On a machine where you care about who is doing what, see above again! :-)

I personally use sudo anytime I need root access. When developing Ruby on Rails applications, I find myself accidently creating a file that needs to be under the SSH access that user has. If I root then I'd forget to switch back. I will often need sudo to bundle install or install a gem. It's just good practice to intentionally type sudo to do something so that you know it is going to be executed as a root user.

I find it odd when people talk about sudo being "more secure," especially in the context of a discussion about Ubuntu. In its default configuration, Ubuntu essentially removes any security at all from the root account; any person who gains the password of a non-privileged user with sudoing rights has effectively rooted the box.

Also, maybe I am strange, but when I am acting as the superuser, it is rare that I have only one line of commands to issue. For this reason, sudo seems wholly without usefulness on a desktop linux system. The last thing I want to have to do when involved in administrative tasks is reauthenticate each time I finish typing a line of commands.

Of course, when properly configured, sudo can be quite useful if many users must perform administrative tasks on the same machine or within the same authentication domain. Even in situations like that, though, a "real" root shell should be employed whenever "pipe-hittin'" tasks are to be performed.

su -, su -c "command" and login as root for me.

Only thing i ever used sudo for was to allow users to shutdown the machine from commandline.

I'm running archlinux and my machines always start to a console login, each has a different root password.

Note : i got no experience with *nix in business environments.

question for Ubuntu users :
what do you do if for some reason all users with sudo root priviliges are unable to login ?

I ssh as root with an encrypted key, and always cringe at systems where users can sudo without a password. however, I do respect sudo for its transparency (in an audit-trail sense.) sudo is a pain to use for more than trivially short operations, though - I sometimes spend much of the day operating as root.

sudo with passwords is a travesty, though: having to type passwords a lot both maximizes their exposure and provides an impetus for weak passwords. I use ssh-agent on a very small number of trusted consoles because, after all, you have to trust the machine you're sitting at. but I don't ever want to type passwords on/to less-trusted machines (have you ever administered a machine that's had an ssh and/or sshd installed that logs all passwords?)