Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I know, I know...let me play devils advocate and spare me the explanation on how SUDO is more secure/flexable (because I already know)
Let's take Ubuntu's approach to SUDO and root...Ubuntu (and it's variants) disable the root password and rely strictly on SUDO for administrative tasks...
How is this *more* secure than having the root account enabled? (follow me for a sec)
With the root account enabled and using SU:
* I would have to guess a user password
* THEN guess the root password
With a disabled root account; and reliance on SUDO (the "Ubuntu way"):
*I just have to guess 1 password.
Logically speaking it's LESS secure because I have less "walls" in front of me...
-C
P.S.
I know I know I know..."you can enable the root account by..." just spare me...this is more of a discussion than a question
Distribution: Slackware (personalized Window Maker), Mint (customized MATE)
Posts: 1,309
Rep:
Quote:
Originally Posted by custangro
With the root account enabled and using SU:
* I would have to guess a user password
* THEN guess the root password
With a disabled root account; and reliance on SUDO (the "Ubuntu way"):
*I just have to guess 1 password.
Assuming you'd like to gain the access to root's account in the first case it's enough to guess root's password -- exactly the same as in the second case.
Yep, also, with sudo you have a log of which account is being misused/cracked and so you can take steps when it's happening. If su does wrong, you only know that it's root, not who is acting as root.
Distribution: Slackware (personalized Window Maker), Mint (customized MATE)
Posts: 1,309
Rep:
In properly configured systems sudo gives users access to precisely selected set of the commands and su with the root's password gives the access to all the commands. To give somebody the access to some restricted set of the commands is more secure than to give him the access to all the commands.
Ubuntu's approach to sudo isn't proper.*
----------
* It's my opinion -- your may be opposite.
Ubuntu doesn't "give users access to precisely selected set of the commands". Ubuntu gives access to ALL commands...
Yes, but I believe that's more or less to give it a more Windows type of feel for the newly converted ex-Windows user. There are probably other things that many of us don't like about Ubuntu - but it does seem to help get new users into the Linux fold, so it can't be all bad.
Sure? Try making a second account.The first one is the administrator's so it kind of makes sense to grant it all privileges; not so for any additional accounts unless additional privileges are explicitly granted by the administrator.
Of course, you could argue that a system that uses su does not grant root privileges at all. As I have pointed out before, that is sophistry. If you install such a system, you enter a root password during install - so you'll know it anyway and you have access to everything all the same. Yep, maybe someone else can install the thing for the user but the same would apply to any distro that uses sudo instead.
Quote:
With the root account enabled and using SU:
* I would have to guess a user password
* THEN guess the root password
With a disabled root account; and reliance on SUDO (the "Ubuntu way"):
*I just have to guess 1 password.
Isn't it the other way round?? With su, you log on as "root" and you need to guess only the root password; with sudo, you have to find out the user's names first, then you have to determine the types of privileges they have and then you still need to obtain a password.
Yes, but I believe that's more or less to give it a more Windows type of feel for the newly converted ex-Windows user. There are probably other things that many of us don't like about Ubuntu - but it does seem to help get new users into the Linux fold, so it can't be all bad.
I agree. It makes it easier for new users to "convert" over...
But I think it's a "false" statement that most people say that Ubuntu is "more secure" because it disables the root account...because personally...I think it makes it LESS secure...
whereas you would have to guess 2 passwords otherwise.
Oh, now I see what you mean. Log in as regular user, then become root. I hadn't thought of the first part; but then it would only apply if root log-ins are disabled.
I agree. It makes it easier for new users to "convert" over...
But I think it's a "false" statement that most people say that Ubuntu is "more secure" because it disables the root account...because personally...I think it makes it LESS secure...
And I would agree with you; assuming that you are in a multi-user system and don't grant ALL authority to any one user. However, most of us in a non-business single-user environment probably just allow ALL, so there are effectively 2 root users. Sure, we pretend that it's not the same as Ubuntu, but effectively, it is.
Last edited by Quakeboy02; 08-09-2009 at 08:32 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.