Re: sudo vs. su (was Re: new to list, new to debian, new to linux)
On Fri, May 22, 2009 at 09:45:05PM +0000, Glyn Astill wrote:
> > 'ALL=(ALL) ALL' is no more dangerous than having the 'su' binary
> > available.
> >
> > The NOPASSWD option is not the default.
>
> No. For su they'd have to enter the root password, for sudo su they'd
> just have to enter the password of the current user and they are root.
And what I'm saying is that in the most likely attack scenario for this
type of user--remote exploit of an essentially single-user system
through an application running under a regular account, such as a web
browser or a word processor--it isn't magically harder for an attacker
to obtain the root password than it would be to obtain the regular
user's password. Both would typically have to be obtained through the
same process.
If you're worried about brute-force attacks on a user's password, that's
one thing. But most basic desktop systems, such as the one the OP was
describing, are not running SSH or other remote-login services. With
the type of attack vector this type of user should be concerned about,
two passwords does not equal twice the security.
--
Mark Shroyer
http://markshroyer.com/contact/
Reply to: