I read somewhere:
Generally it is said that user shouldnt log?in as root.
but should login as user and then do sudo bash and enter the shell.
IF user does sudo bash and enter into shell he has capability to run commands run by root.
Then how can it be safe

Hi,

There is a difference between su and sudo as I understand it like this. When you log in as a normal user and you have to run 'root privileged' commands you can open a terminal and su into the root account, thus gaining root privileges for the duration of your terminal session. You'd have to know the root password.

On the contrary with sudo you'll have to provide your own user password. It only works if you're a member of the sudoers list and root has to add you. Furthermore sudo can be limited to certain commands and thus maintaining a level of security.

You can read more about it here:
Access control
Sudo vs root

Kind regards,

Eric

(Sorry if this seems like I'm butting in)

What about instances where there is no command, but only an argument (such as in the instance of "sudo -s")?

Hi,

Thank you for 'butting in', this is by no means a private conversation, everybody is free to participate. The more the merrier. This way I can learn too.

I haven't really used 'sudo -s' before but that just opens a 'shell' right? So if you don't give a user shell access, then they don't have the ability to execute sudo -s neither.

I think the whole point of using sudo is maintaining a level of security. Using the sudoers file you can limit quite a lot. And if you deny running a shell, only allow specific commands that need root privileges, then you should be quite safe.

Kind regards,

Eric

Thanks for the clarification. I was just wondering because I often use "sudo -s" as my way of accessing a root shell. I'm using Ubuntu, and I don't think I ever set up a root password, so I can't just use "su" for this. Is it a bad idea to use "sudo -s"?

It all depends on what you want to do with your system, what your level of expertise is and most important if you share your computer/server with others.

If your the administrator (root) then it's a good thing to maintain the shell possibility only for you and not for other users if you share access to the computer/server.

I on the other hand have rarely used su or sudo (only on my wife's ubuntu). On my computers I'm root and as such I work and play. If I kill the thing then I'm the only responsible.

At work I only share root access on all our servers with my fellow sysadmin. Other users only have normal access and all root privileged commands go through us.

I haven't had any problems yet.

Kind regards,

Eric

1 members found this post helpful.

The best use of sudo is to limit the regular user to the absolute minimum number of privileged commands to accomplish the tasks they need. In my opinion, "sudo bash" is not in that list.

Please be aware that Ubuntu has seriously bastardized the proper use of sudo because of their replacement of root with an administrator account. Most Linux distros (at least those not based on Ubuntu) don't allow this kind of nonsense with sudo. My personal opinion is that anything that allows you to get root privileges without root's password is a bad idea, but Ubuntu obviously doesn't agree.

your_shadow03,

Quote:

Generally it is said that user shouldnt log?in as root. but should login as user and then do sudo bash and enter the shell.

Yes, here you are not logged-in as superuser, but merely enjoys a superuser privilege with respect to the specified command that you have run. In that respect all other things are running as a regular 'user' except that 'command' alone which you have knowingly and willfully issued.

Quote:

IF user does sudo bash and enter into shell he has capability to run commands run by root. Then how can it be safe

Capability to run commands is not equal to an actually running the entire system as root. Capability is a mere potentiality; but running the system as root is already running in actuality. Issue: --$ sudo -i <Enter password> then You are in, but unless you willfully execute disastrous commands nothing is destroyed. As pointed out by EricTRA above this implementation maintains the level of security.
Sudo acquired status obtained through authenticated commands generally lasts for only 5 minutes, it expires without you knowing, the system is taking it back from you under assumption that it is no longer needed. You will need another sudo after that in order to run another need.
I have set my Slackware to run either as 'root' or 'sudoer' I can say that sudo implementation is reasonable and sound for newbies like me. The experts do not need it.

Hope this could help explain.

Good luck to all.