I like sudo - it makes it much more unlikely that I will inadvertantly damage my system.

If you need a root shell, then use the command "sudo -s". It will prompt you for your password, and then give you a shell with root privilleges.

I can understand why a root user is needed, to start all the privilleged processes and own global config files, etc. There is no reason for a root login though.

--Ian

You can use a couple approaches to do this.
1) Assign a password to root: sudo su, then passwd
2) Jump to a root shell: sudo su

Generally sudo is a good and safe way of giving users some root privileges. Many distros use sudo to give users limited root privileges e.g. the ability to mount devices or shutdown the system. Also sudo is very good where you need multiple system administrators with all or some root privileges. In such instances sudo saves you from giving out the root password of the machine to every admin user.

The main problem with Ubuntus way of using sudo as JaseP mentioned is that if someone cracks the admin password, then they own the system and can do as they wish. On a system using a classical root account, if you gain access to a users account, you don't automatically gain root access. To make the problem worse, the root account on Ubuntu is enabled just like in any other Linux distro, but the big difference is that it lacks a password. If I successfully cracked an Ubuntu system, I could give root a password, login as root and do as I wish with the system e.g. allow root logins using ssh or some other mechanism. The next time, I want to access the machine, I would not have to go through the admin account.

The only advantages that I see about the way sudo is implemented in Ubuntu is that it makes sysadmin tasks a bit easier for those moving from operating systems where logging in as an admin user is the norm and they probably don't have a great deal of knowledge about the Unix security model. The other advantage is that as long as the admin user has a good password and does not give it out to anyone, it can be difficult to crack an Ubuntu system using usernames and passwords because you may not know what username to look for or which user is the admin user. On systems using classical root accounts, everyone knows that there is a user called root (although this is not always the case since some people change the login name and other details of the root account) and if you gain access to that account you get access to the whole machine.

You can get rid of the sudo thing in Ubuntu (which is what I usually do when I setup Ubuntu based systems because I prefer a classic root account). All you have to do is give root a password e.g. "sudo passwd root". After that login as root, run visudo as root and just disable the ability of anyone in the admin group to run all system commands. You can even get rid of the admin group if you wish by running "groupdel admin". On the systems that use sudo, I set a root password as well as remove the option that enables a user to run all admin privileges as root and replace it with the ability to run "some" commands as root.

Using su also has its problems. There is a tendency amongst some users to regularly login as root or to forget to logout when they login as root and this can have disastrous consequences. As others mentioned, "su -c" is a very good way to run single commands as root without actually logging in as the root user. Some Unix systems e.g. FreeBSD prevent anyone from being able to su to root unless you are in a special group, this gives the classical root model a bit more security.

Thanks for the low-down, reddazz. You're obviously speaking from experience, and I think it just comes down to doing the best you can and being aware. There is no panacea when it comes to security.

Yes...thanks.....

Currently in MEPIS I use the traditional "su" method.

Assume someday I switch to Ubuntu / Kubuntu.

Furthermore assume I am (knock on wood) a person who always remembers to type "exit" when I am finished with a root session in terminal.

If security is more important to me than easy useableness, would you folks recommend the traditional "su" method or the newer "sudo" method?

A side note: Though several people might use the computer, I would be the only person needing root power on a regular basis, though it is doubtful that I would actually use root power on a regular basis. Other people would just be ordinary users with ordinary powers.

Thanks again!!!!

If security is more important than ease of use, have two computers--one physically locked up that only you can access and that is not connected to the internet; then, another one that does only internet and has no access to your personal files or passwords.

That is an interesting idea. I never thought of it but still, what if I only have one (1) computer? Security is more important than usability, but obviously I want to go online for important things like synaptic, etc. . .when they are (rarely) needed).

? su or sudo ?

Thanks.

As reddazz points out, there are strengths and weaknesses to either model.

I think it matters more that you pick hard-to-guess passwords and don't do anything dumb. Install only from the repositories.

One reason I don't use Ubuntu is because it doesn't ask to set a root password at installation, which I consider a security flaw.

The idea of Sudo in Ubuntu was make it more secure and eliminate the root password being cracked. In theory a good idea.

Unfortunately there's a flaw in Ubuntu that makes it possible to set a root password in Ubuntu whilst running from a User account, if you have the know-how. Somebody who knows how to can set the root password, have access to root and your PC without your knowledge.

Distro's which ask for a root password on installation do require a hard to guess password, if it's not to be cracked. However I still find that a safer option than Ubuntu that does not even ask you for one and therefore leaves a backdoor option into your system via setting a root password.

Thats true ,but how many OS X users even know that there is a command line let alone know that its unix based.

I think the problem with sudo is that you need it to do anything so on the desktop you get into the habbit of sudoing most commands and the whole idea becomes point less.

With debian my first command is normally su , because most usefull commands need it

Anybody that has the know how, who is sitting at your computer, can do this. Doesn't matter if it is Ubuntu, Slackware, Gentoo, etc....
I have used many distros that ask for root password and did not check to make sure it was a good password.
So you are saying that in Ubuntu, if I have to do something as root, then all I have to do is login as a user, and I have full root access? Thats not right.
And you should be using a good password for any user account.

As twilli227 points out, anyone who has physical access to your computer has root access.

A live CD gives you root access to any operating system.

If your computer isn't set to boot from CD, then someone can take a screwdriver and remove your hard drive and put it in another computer--root access again.

Yes, I set up my laptop a while back when it had Kubuntu (I'm using Gentoo now) to use su instead of sudo. In order to do that, use sudo passwd, which will set the root password.

AFAIK, you can use su and sudo at the same time, though I can't imagine why you'd want to.

Hehe, good point. sudo is very useful for keeping you system as safe as possible.

Regarding the "make a root" account / password. . .how easy is it for someone to do this? Can that person do it remotely or must the person be sitting at your computer?

This actually makes me jump to my 2nd point / question (for Ubuntu): I have heard several say that if you want, you can set up a root account / password yourself to use the traditional "su" method instead of the newer "sudo" method.

Is it possible to do the reverse? What I mean is, is it possible to set up Ubuntu to NOT make a root account / password, thus making sudo the one and only method? It seems that doing so would eliminate the risk of someone ". . .that has the know how, who is sitting at your computer. . ." from setting up a root account / password.

Sorry this was wordy. . .but any insight would be appreciated.

Thanks!