LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

View Poll Results: Do you use sudo or the root account to gain root privileges?
sudo 43 50.00%
log in as root 43 50.00%
Voters: 86. You may not vote on this poll

Reply
 
LinkBack Search this Thread
Old 03-13-2011, 12:25 AM   #46
glennt11
LQ Newbie
 
Registered: Aug 2004
Location: NY
Distribution: Ubuntu,Red Hat,Centos 5
Posts: 29

Rep: Reputation: 0

This all really depends on the setting this vote is based on. My assumption is the OP is asking whether you prefer logging in as root, or logging in as your user account and using sudo to perform tasks in a corporate or otherwise "best security is needed" environment.

If that assumption is correct, as far as security goes, sudo hands down kills logging as root in my rule-book. Sudo allows you to set only certain admin commands to a user account, i.e. permissions to only add users, but can't delete them, etc. So you can fine-grain who can do what on your box. Give them the root password? There's not much control you have over what they can do once they log in!

I think you're all missing a key factor of logging in as root vs using sudo from a user account: when you sudo, your user login name and EXACT command that was run are logged in /var/log/secure each time you sudo something(I'm speaking from a Redhat/Fedora based standpoint....not sure how the other distros handle this).

At my company, on our Windows workstations, the same thing happens. The default Administrator account is disabled and a user account is created with Admin privileges to the local machine due to the previously mentioned reason other posters gave. EVERYONE knows a Windows box has an Administrator account, so they already have one-half of the equation to gain access to your machine by leaving it enabled. Will they have as much luck with a admin-enabled user account named hugo64? Maybe...if they figure out hugo64 is an actual account we use!!! (No...hugo64 is not real folks...at least not for my company :-) ).

Same thing with Linux, root is a known username, with known privileges to do whatever it wants. How many accounts can do 'rm -rf /' without any complaints from the system? First thing I'd suggest doing is try to limit this do-anything power if possible!

As far as our personal servers at home are concerned, use whatever gives you that 'fuzzy' feeling! It's 10x easier to login as root and perform the needed tasks. On my company's machines? You're going to need a damn good reason to get the root password, where I can give you a sudo permission to ONLY what you need to use, and can see the commands you tried to run on my box with sudo permissions. Just saying.

Here's an example of some output from the /var/log/secure file, with the X's meaning stuff I've removed:

Code:
Mar 12 08:48:13 COMPUTERNAME sudo: XXXXXXX : TTY=pts/0 ; PWD=/home/XXXXXXX/scripts ; USER=root ; COMMAND=/sbin/service iptables start

Mar 13 00:44:33 COMPUTERNAME sudo: XXXXXXX : TTY=pts/0 ; PWD=/home/XXXXXXX ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure
so as you can see, I can pull this log up and see what you've been doing during your session. Obviously, if this file's been compromised I'm SOL, but I have...backups in place I use to ensure I get this information. Not giving out all the secrets!

So in closing, if we're talking personal home servers, this all doesn't matter. On a machine where you care about who is doing what, see above again! :-)
 
Old 03-13-2011, 12:33 AM   #47
initialdrifteg6
Member
 
Registered: Sep 2004
Location: France, Kentucky
Distribution: debian
Posts: 173

Rep: Reputation: 38
I personally use sudo anytime I need root access. When developing Ruby on Rails applications, I find myself accidently creating a file that needs to be under the SSH access that user has. If I root then I'd forget to switch back. I will often need sudo to bundle install or install a gem. It's just good practice to intentionally type sudo to do something so that you know it is going to be executed as a root user.
 
Old 03-18-2011, 11:50 PM   #48
foodown
Member
 
Registered: Jun 2009
Location: Texas
Distribution: Slackware
Posts: 607

Rep: Reputation: 218Reputation: 218Reputation: 218
I find it odd when people talk about sudo being "more secure," especially in the context of a discussion about Ubuntu. In its default configuration, Ubuntu essentially removes any security at all from the root account; any person who gains the password of a non-privileged user with sudoing rights has effectively rooted the box.

Also, maybe I am strange, but when I am acting as the superuser, it is rare that I have only one line of commands to issue. For this reason, sudo seems wholly without usefulness on a desktop linux system. The last thing I want to have to do when involved in administrative tasks is reauthenticate each time I finish typing a line of commands.

Of course, when properly configured, sudo can be quite useful if many users must perform administrative tasks on the same machine or within the same authentication domain. Even in situations like that, though, a "real" root shell should be employed whenever "pipe-hittin'" tasks are to be performed.
 
Old 04-04-2011, 06:39 AM   #49
Lone_Wolf
Member
 
Registered: Jul 2007
Location: Netherlands
Distribution: Archlinux x86_64
Posts: 48

Rep: Reputation: 20
su -, su -c "command" and login as root for me.

Only thing i ever used sudo for was to allow users to shutdown the machine from commandline.

I'm running archlinux and my machines always start to a console login, each has a different root password.

Note : i got no experience with *nix in business environments.

question for Ubuntu users :
what do you do if for some reason all users with sudo root priviliges are unable to login ?
 
Old 04-04-2011, 07:45 PM   #50
markhahn
LQ Newbie
 
Registered: Jan 2011
Posts: 9

Rep: Reputation: 2
I ssh as root with an encrypted key, and always cringe at systems where users can sudo without a password. however, I do respect sudo for its transparency (in an audit-trail sense.) sudo is a pain to use for more than trivially short operations, though - I sometimes spend much of the day operating as root.

sudo with passwords is a travesty, though: having to type passwords a lot both maximizes their exposure and provides an impetus for weak passwords. I use ssh-agent on a very small number of trusted consoles because, after all, you have to trust the machine you're sitting at. but I don't ever want to type passwords on/to less-trusted machines (have you ever administered a machine that's had an ssh and/or sshd installed that logs all passwords?)
 
Old 04-06-2011, 08:55 AM   #51
SL00b
Member
 
Registered: Feb 2011
Location: LA, US
Distribution: SLES
Posts: 375

Rep: Reputation: 111Reputation: 111
Quote:
Originally Posted by markhahn View Post
sudo is a pain to use for more than trivially short operations, though - I sometimes spend much of the day operating as root.
Again, if you're going to be on the system for quite a while and will need root privileges for most of that time, the command "sudo bash" will solve this problem for you. It's effectively the same as su or a login as root. You won't be bothered with a password prompt again until you exit the bash session.
 
Old 04-06-2011, 04:29 PM   #52
jhettmer
LQ Newbie
 
Registered: Aug 2009
Posts: 2

Rep: Reputation: 0
sudo vs su - problem solved for me

sudo is okay for a one-shot. For more I have a script named rootwin, which is (on FC6):
PWD=`/bin/pwd`
su -plm -c "xhost +; cd $PWD; gnome-terminal --window-with-profile=Default &" root

Root's default terminal has a coral background, so can't mistake it. Type the password once. (Had to do something slightly sneakier on ubuntu 9.10, I forget what, but same idea). We use rootwin a lot.
 
Old 04-09-2011, 03:03 AM   #53
foodown
Member
 
Registered: Jun 2009
Location: Texas
Distribution: Slackware
Posts: 607

Rep: Reputation: 218Reputation: 218Reputation: 218
An easily customizable alternative /etc/sudoers file for Slackware providing some pretty convenient administrating privileges to those in the root group without them having to have the root password:
Code:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

Defaults        env_resets,insults

# User privilege specification
root    ALL=(ALL) ALL

# Allow many special priviledges to those in the root group.
# Add what you like; Comment out or wipe out what you don't.
%root           ALL=/sbin/mount
%root           ALL=/sbin/umount
%root           ALL=/usr/bin/cp
%root           ALL=/usr/bin/vi
%root           ALL=/bin/kill
%root           ALL=/bin/killall
%root           ALL=/sbin/init
%root           ALL=/sbin/runlevel
%root           ALL=/sbin/shutdown
%root           ALL=/sbin/halt
%root           ALL=/sbin/ctrlaltdel
%root           ALL=/sbin/poweroff
%root           ALL=/sbin/reboot
%root           ALL=/sbin/insmod
%root           ALL=/sbin/insmod.static
%root           ALL=/sbin/rmmod
%root           ALL=/sbin/lsmod
%root           ALL=/sbin/modprobe
%root           ALL=/sbin/modinfo
%root           ALL=/sbin/depmod
%root           ALL=/sbin/ldconfig
%root           ALL=/sbin/fsck
%root           ALL=/sbin/ifconfig
%root           ALL=/sbin/ifrename
%root           ALL=/sbin/ifstat
%root           ALL=/sbin/iwconfig
%root           ALL=/sbin/iwevent
%root           ALL=/sbin/iwgetid
%root           ALL=/sbin/iwlist
%root           ALL=/sbin/iwpriv
%root           ALL=/sbin/iwspy
%root           ALL=/sbin/dhcpcd
%root           ALL=/sbin/route
%root           ALL=/sbin/routel
%root           ALL=/sbin/routef
%root           ALL=/sbin/quotacheck
%root           ALL=/sbin/quotaon
%root           ALL=/sbin/quotaoff
%root           ALL=/sbin/convertquota
%root           ALL=/sbin/swapon
%root           ALL=/sbin/swapoff
%root           ALL=/sbin/lspci
%root           ALL=/sbin/lspcmcia
%root           ALL=/sbin/rescan-scsi-bus
%root           ALL=/sbin/hwclock
%root           ALL=/sbin/makepkg
%root           ALL=/usr/bin/chown
%root           ALL=/usr/bin/chmod
If you are using an LDAP for authentication or anything else non-local, you'll want to change all of those 'ALL's to 'localhost.' (Not the first three, of course.)

An alternative package for sudo, enabling all of the insults:
sudo-1.7.4p6-x86_64-1ram.txz

Last edited by foodown; 04-09-2011 at 03:05 AM.
 
Old 04-17-2011, 07:10 PM   #54
hans51
Member
 
Registered: Mar 2005
Location: Cambodia
Distribution: suse
Posts: 36
Blog Entries: 1

Rep: Reputation: 16
I work full time on Linux since 1998 and strictly login AND work as root
that keeps me awake and forces me to pay attention to what I do
important to me because all my remote controlled servers also need to be managed
 
Old 04-18-2011, 12:12 PM   #55
.oOZe.
LQ Newbie
 
Registered: May 2004
Location: Vancouver, BC
Distribution: FC14
Posts: 16

Rep: Reputation: 2
sudo is useful for machines with users needing occasional privilege elevation. Disabling root access completely and forcing admin users to repeatedly type their passwords is not only less secure it is also time consuming, particularly when performing many short commands at intervals.

Disabling any remote root logins, limiting login attempts, hardening the system, timing out idle root sessions and using strong passwords (or alternately ssh keys) is far more secure and time effective.

Regarding admins with root access leaving the organization... isn't it about time you changed the root passwords anyway? Or is turnover really that high?

Last edited by .oOZe.; 04-18-2011 at 12:20 PM.
 
Old 04-18-2011, 03:16 PM   #56
psionl0
Member
 
Registered: Jan 2011
Distribution: slackware_64 14.0
Posts: 505
Blog Entries: 2

Rep: Reputation: 67
The only that I have for the sudo command is so that I can shutdown my computer from a fluxbox menu.

In almost all other cases I use the su command if I need root privileges. On very rare occasions I log in as root.
 
Old 04-18-2011, 03:21 PM   #57
izakharyaschev
LQ Newbie
 
Registered: Apr 2011
Location: Moscow
Distribution: ALT Sisyphus
Posts: 7

Rep: Reputation: 0
against sudo/su: allows to gain root from a compromised otherwise non-privileged user account (Owl)

Quote:
Originally Posted by Kenny_Strawn View Post
However, I think that using sudo is more secure than the root account for the same reasons that the Ubuntu developers think so: because the root account is a prime target for password crackers.
But there are also different arguments:

The designers of the secured OpenWall GNU/*/Linux distro have also expressed critical opinions on `su` (for becoming root) and `sudo`. You might be interested in reading this thread:

[...unfortunately both su and sudo are subtly but fundamentally
flawed.](http://www.openwall.com/lists/owl-users/2004/10/20/6):

Quote:
And the reason I give against using this approach is that it
effectively allows anyone who could have compromised the otherwise
non-privileged user account used to su from to gain root (at the
next invocation of su by the admin). So the separation between the
non-root and the root accounts is lost.
Apart from discussing the flaws of `su` and other things, Solar Designer also targets one specific reason to use `su`:

> Yes, it used to be common sysadmin
> wisdom to "su root" rather than login
> as root. Those few who, when asked,
> could actually come up with a valid
> reason for this preference would refer
> to the better accountability achieved
> with this approach. Yes, this really
> is a good reason in favor of this
> approach. But it's also the only one. ...(read more)

In their distro, they have ["completely got rid of SUID root programs in the default install"](http://www.openwall.com/lists/oss-security/2010/11/08/3) (i.e., including `su`; and they do not use capabilities for this):

> For servers, I think people need to
> reconsider and, in most cases,
> disallow invocation of su and sudo by
> the users. There's no added security
> from the old "login as non-root, then
> su or sudo to root" sysadmin "wisdom",
> as compared to logging in as non-root
> and as root directly (two separate
> sessions). On the contrary, the
> latter approach is the only correct
> one, from a security standpoint:
>
> http://www.openwall.com/lists/owl-users/2004/10/20/6
>
> (For accountability of multiple
> sysadmins, the system needs to support
> having multiple root-privileged
> accounts, like Owl does.)
>
> (For desktops with X, this gets
> trickier.)
>
> You also absolutely have to deal with...

BTW, they were to replace `sulogin` with [`msulogin`](http://www.ohloh.net/p/msulogin) to allow the setup with multiple root accounts: `msulogin` allows one to type in the user name also when going into the single user mode (and preserve the "accountability") (this info comes from [this discussion in Russian](http://www.opennet.ru/openforum/vslu.../73378.html#24)).
 
Old 04-18-2011, 03:42 PM   #58
MBybee
Member
 
Registered: Jan 2009
Location: wherever I can make a living
Distribution: PC-BSD / FreeBSD / Debian / Ubuntu / Win7 / OpenVMS
Posts: 438

Rep: Reputation: 57
Sudo 99% of the time, root rarely if ever.

I professionally admin boxes (AIX, IRIX, Linux, FreeBSD, OpenBSD, and Solaris) and follow the same practices on all of them. Always run with the minimum possible permissions, never allow SSH as root. Been doing OS and DB support since before Linux, will continue doing it long after. Even before sudo, it was always the same. Use a 'vanity' account (named user) unless for some reason it is impossible to do so (ultra rare).
 
Old 04-18-2011, 05:42 PM   #59
jefro
Guru
 
Registered: Mar 2008
Posts: 10,275

Rep: Reputation: 1258Reputation: 1258Reputation: 1258Reputation: 1258Reputation: 1258Reputation: 1258Reputation: 1258Reputation: 1258Reputation: 1258
Wow! Almost half the people are wrong!
 
1 members found this post helpful.
Old 04-18-2011, 07:32 PM   #60
John VV
Guru
 
Registered: Aug 2005
Posts: 12,144

Rep: Reputation: 1595Reputation: 1595Reputation: 1595Reputation: 1595Reputation: 1595Reputation: 1595Reputation: 1595Reputation: 1595Reputation: 1595Reputation: 1595Reputation: 1595
Quote:
Wow! Almost half the people are wrong!
why ?

su & su - ### is great BUT not for ALL and EVERY situation

sudo ### can open up a hole but is BETTER for some situations

log in as root ### good for a few things BUT not for others

use what IS BEST for the situation and need .
 
  


Reply

Tags
root, sudo


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sudo cd /root gives 'sudo: cd: command not found'. stf92 Linux - Newbie 4 03-03-2012 09:05 AM
After improper shutdown, 1 user can't startx (KDE), sudo, OR su. Root account is ok! ShellyCat Linux - Desktop 2 09-19-2010 03:56 AM
Can't use sudo, only account that's not root is not a sudo'ers [Ubuntu 9.10] randyriver10 Linux - Desktop 1 01-09-2010 07:56 PM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM
Want2use /sbin cmds undr non-root account w/o sudo. Is it safe 2 add /sbin 2 my PATH? kornerr Linux - General 4 02-25-2005 09:29 AM


All times are GMT -5. The time now is 07:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration