LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-25-2009, 06:04 AM   #1
your_shadow03
Senior Member
 
Registered: Jun 2008
Location: Germany
Distribution: Slackware
Posts: 1,462
Blog Entries: 6

Rep: Reputation: 51
Why you recommend sudo user?


Generally we find that its recommended safe to create sudo user and give him root access. All I do is:

Code:
tommy  ALL=(ALL) ALL
Thats it.

But one thing I never understood if sudo user is given permission to run all the root commands, how can it be safe.

Now as show above, tommy has all root privileges and so he can run those commands.
Say, Tommy by mistake ran this:
Code:
sudo rm - fr
password: *****
So What???

May I know why I generally hear "create sudo user dont give him root access"
 
Old 12-25-2009, 06:29 AM   #2
affinity
Member
 
Registered: Nov 2009
Distribution: Slackware64
Posts: 132

Rep: Reputation: 20
With sudo you can control what permissions the person actually has in the sudoers file. Personally I don't really use sudo, I just su when I need root privileges but having sudo instead of a root account does add extra security in that it's harder for someone to gain full root access on a machine if you are almost never in a root like environment. Some people say that sudo also offers an extra layer of protection against yourself in that you have to type the password in before doing something stupid, so you may realize what you are doing before it's too late. In my opinion that doesn't hold up as well if you consider most people are using a non root account and issuing commands through su, so it's about the same as doing sudo.
 
Old 12-25-2009, 08:01 AM   #3
malekmustaq
Senior Member
 
Registered: Dec 2008
Location: root
Distribution: Slackware & BSD
Posts: 1,665

Rep: Reputation: 485Reputation: 485Reputation: 485Reputation: 485Reputation: 485
Quote:
Now as show above, tommy has all root privileges and so he can run those commands.
Say, Tommy by mistake ran this:
Code:
sudo rm - fr
password: *****
So What???
And so why did you give Tommy a sudo power in the first place?

There is big difference between logging in as 'root' and logging in as 'user': I don't need expound it here, such is a public knowledge already. And if you log as user yet has a facility or convenient way of exercising superuser power over an isolated "specific" command or action, what security and convenience it has combined!

Sudo is intended for a conservative security conscious root owner; this should not be granted to a moron-user who learns only an 'rm -fr' and 'umask 0000' commands.

Hope this helps.

BTW, I truly hold some reluctance to post a response like this to a senior; I only seem here to mistake the OP is joking. Pardon in any way.

Last edited by malekmustaq; 12-25-2009 at 08:09 AM.
 
Old 12-25-2009, 08:32 AM   #4
~sHyLoCk~
Senior Member
 
Registered: Jul 2008
Location: /dev/null
Posts: 1,173
Blog Entries: 12

Rep: Reputation: 129Reputation: 129
It's not a question of hardened security, it a safety measure in case someone logged in as root runs a command like rm -rf /home/$USER/folder/* and instead he mistypes and forgets to type "folder" so it's just rm -rf /home/$USER/*
So, when you type sudo, you are actually "confirming" that you are aware and responsible for your action that you are about to perform.
Hence root login is disabled by default in many distributions like ubuntu. Advanced distros allow users to login as root but strongly recommend against it.
No one can stop you from doing something stupid if you set your mind to it. You can damage your system anyway. You can even put a Live CD and format someone's system.

Last edited by ~sHyLoCk~; 12-25-2009 at 08:33 AM.
 
Old 12-25-2009, 10:08 AM   #5
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
Blog Entries: 4

Rep: Reputation: 470Reputation: 470Reputation: 470Reputation: 470Reputation: 470
As long as you have logging enabled and use the logs, you can also trace who did what. If everyone uses ROOT you have no way of knowing who is carrying out malicious actions on your system or who has had their password cracked.
 
Old 12-25-2009, 11:47 AM   #6
your_shadow03
Senior Member
 
Registered: Jun 2008
Location: Germany
Distribution: Slackware
Posts: 1,462
Blog Entries: 6

Original Poster
Rep: Reputation: 51
Code:
As long as you have logging enabled and use the logs, you can also trace who did what. If everyone uses ROOT you have no way of knowing who is carrying out malicious actions on your system or who has had their password cracked.
You mean Just for Tracking who did what, we use sudo.
I dont think its good idea.
Yes, I do strongly believe that we can restrict few commands like rm and umask at critical directories.
And,
Code:
So,when you type sudo, you are actually "confirming" that you are aware and responsible for your action that you are about to perform
Confirming !!!! I never understood what we are confirming here.
I can bet..if you have ever worked in ubuntu and yu are sudo user..
You become so habitual that everytime yu run sudo <command> you have just habit of following steps and provide steps rather than slow down and see "Am I doing right thing?"

Still in doubt !!
 
Old 12-25-2009, 01:22 PM   #7
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
Blog Entries: 4

Rep: Reputation: 470Reputation: 470Reputation: 470Reputation: 470Reputation: 470
Quote:
Originally Posted by your_shadow03 View Post
You mean Just for Tracking who did what, we use sudo.
I dont think its good idea.
If you give out the ROOT password to more than one person, you have an inherent security issue. If one of the people decides to do "rm -rf /" as ROOT, how do you know who it was? If one of the ROOTs decides to go looking into user files they shouldn't, how will you know who it is?

As well, if you are giving out the password, it is likely to be easy to remember. Therefore, it is likely to be crackable. Using SUDO, you can set the ROOT password to be a very long string of letters, numbers and special characters, safe in the knowledge that it will never be used and will be nigh on impossible to crack. All users then have the responsibility to remember their own passwords only.

If you use SUDO, you can track who did what. It is a very basic security measure.

Quote:
Originally Posted by your_shadow03 View Post
Code:
So,when you type sudo, you are actually "confirming" that you are aware and responsible for your action that you are about to perform
Confirming !!!! I never understood what we are confirming here.
I can bet..if you have ever worked in ubuntu and yu are sudo user..
You become so habitual that everytime yu run sudo <command> you have just habit of following steps and provide steps rather than slow down and see "Am I doing right thing?"

Still in doubt !!
You seem to want to make things easier for your admins, not more secure for your system. Why is that? If they are any good they will be able to understand why you use SUDO.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
unchecked link between pc user and sudo user on Mint5 how do I get it back,stop laugh Fred Caro Linux - Newbie 2 04-22-2009 08:36 PM
Gconf-editor settings not sticking for root, sudo user, or user when run sandaili Fedora 1 07-19-2008 08:31 AM
Which distribution do you recommend for a new Linux user? yerin vamooshe Linux - General 3 01-22-2007 01:18 AM
Sudo for more than one user MOCKBA Ubuntu 3 09-30-2006 02:38 AM
SUDO for user nobody tracer Linux - Newbie 3 01-12-2006 02:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration