Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
![Reply](https://www.linuxquestions.org/questions/images/buttons/reply.gif) |
12-25-2009, 07:04 AM
|
#1
|
Senior Member
Registered: Jun 2008
Location: Germany
Distribution: Slackware
Posts: 1,466
Rep:
|
Why you recommend sudo user?
Generally we find that its recommended safe to create sudo user and give him root access. All I do is:
Code:
tommy ALL=(ALL) ALL
Thats it.
But one thing I never understood if sudo user is given permission to run all the root commands, how can it be safe.
Now as show above, tommy has all root privileges and so he can run those commands.
Say, Tommy by mistake ran this:
Code:
sudo rm - fr
password: *****
So What???
May I know why I generally hear "create sudo user dont give him root access"
|
|
|
12-25-2009, 07:29 AM
|
#2
|
Member
Registered: Nov 2009
Distribution: Slackware64
Posts: 132
Rep:
|
With sudo you can control what permissions the person actually has in the sudoers file. Personally I don't really use sudo, I just su when I need root privileges but having sudo instead of a root account does add extra security in that it's harder for someone to gain full root access on a machine if you are almost never in a root like environment. Some people say that sudo also offers an extra layer of protection against yourself in that you have to type the password in before doing something stupid, so you may realize what you are doing before it's too late. In my opinion that doesn't hold up as well if you consider most people are using a non root account and issuing commands through su, so it's about the same as doing sudo.
|
|
|
12-25-2009, 09:01 AM
|
#3
|
Senior Member
Registered: Dec 2008
Location: root
Distribution: Slackware & BSD
Posts: 1,669
|
Quote:
Now as show above, tommy has all root privileges and so he can run those commands.
Say, Tommy by mistake ran this:
Code:
sudo rm - fr
password: *****
So What???
|
And so why did you give Tommy a sudo power in the first place?
There is big difference between logging in as 'root' and logging in as 'user': I don't need expound it here, such is a public knowledge already. And if you log as user yet has a facility or convenient way of exercising superuser power over an isolated "specific" command or action, what security and convenience it has combined!
Sudo is intended for a conservative security conscious root owner; this should not be granted to a moron-user who learns only an 'rm -fr' and 'umask 0000' commands.
Hope this helps.
BTW, I truly hold some reluctance to post a response like this to a senior; I only seem here to mistake the OP is joking. Pardon in any way.
Last edited by malekmustaq; 12-25-2009 at 09:09 AM.
|
|
|
12-25-2009, 09:32 AM
|
#4
|
Senior Member
Registered: Jul 2008
Location: /dev/null
Posts: 1,173
Rep: ![Reputation: 129](https://www.linuxquestions.org/questions/images/reputation/reputation_pos.gif)
|
It's not a question of hardened security, it a safety measure in case someone logged in as root runs a command like rm -rf /home/$USER/folder/* and instead he mistypes and forgets to type "folder" so it's just rm -rf /home/$USER/*
So, when you type sudo, you are actually "confirming" that you are aware and responsible for your action that you are about to perform.
Hence root login is disabled by default in many distributions like ubuntu. Advanced distros allow users to login as root but strongly recommend against it.
No one can stop you from doing something stupid if you set your mind to it. You can damage your system anyway. You can even put a Live CD and format someone's system.
Last edited by ~sHyLoCk~; 12-25-2009 at 09:33 AM.
|
|
|
12-25-2009, 11:08 AM
|
#5
|
Moderator
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
|
As long as you have logging enabled and use the logs, you can also trace who did what. If everyone uses ROOT you have no way of knowing who is carrying out malicious actions on your system or who has had their password cracked.
|
|
|
12-25-2009, 12:47 PM
|
#6
|
Senior Member
Registered: Jun 2008
Location: Germany
Distribution: Slackware
Posts: 1,466
Original Poster
Rep:
|
Code:
As long as you have logging enabled and use the logs, you can also trace who did what. If everyone uses ROOT you have no way of knowing who is carrying out malicious actions on your system or who has had their password cracked.
You mean Just for Tracking who did what, we use sudo.
I dont think its good idea.
Yes, I do strongly believe that we can restrict few commands like rm and umask at critical directories.
And,
Code:
So,when you type sudo, you are actually "confirming" that you are aware and responsible for your action that you are about to perform
Confirming !!!! I never understood what we are confirming here.
I can bet..if you have ever worked in ubuntu and yu are sudo user..
You become so habitual that everytime yu run sudo <command> you have just habit of following steps and provide steps rather than slow down and see "Am I doing right thing?"
Still in doubt !!
|
|
|
12-25-2009, 02:22 PM
|
#7
|
Moderator
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
|
Quote:
Originally Posted by your_shadow03
You mean Just for Tracking who did what, we use sudo.
I dont think its good idea.
|
If you give out the ROOT password to more than one person, you have an inherent security issue. If one of the people decides to do "rm -rf /" as ROOT, how do you know who it was? If one of the ROOTs decides to go looking into user files they shouldn't, how will you know who it is?
As well, if you are giving out the password, it is likely to be easy to remember. Therefore, it is likely to be crackable. Using SUDO, you can set the ROOT password to be a very long string of letters, numbers and special characters, safe in the knowledge that it will never be used and will be nigh on impossible to crack. All users then have the responsibility to remember their own passwords only.
If you use SUDO, you can track who did what. It is a very basic security measure.
Quote:
Originally Posted by your_shadow03
Code:
So,when you type sudo, you are actually "confirming" that you are aware and responsible for your action that you are about to perform
Confirming !!!! I never understood what we are confirming here.
I can bet..if you have ever worked in ubuntu and yu are sudo user..
You become so habitual that everytime yu run sudo <command> you have just habit of following steps and provide steps rather than slow down and see "Am I doing right thing?"
Still in doubt !!
|
You seem to want to make things easier for your admins, not more secure for your system. Why is that? If they are any good they will be able to understand why you use SUDO.
|
|
|
All times are GMT -5. The time now is 12:23 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|