Re: Could sudo be an security issue?
Stewart James <stewart.james@vu.edu.au> writes:
> Hi all,
>
> My manager just came in asking questions about sudo. We use sudo here as a
> replacement for hacing to know root passwords - in general there are
> around 5 of us who need root access to the machines we maintain. we
> typically have just fallen back to a ALL=ALL for ourselves so we can just
> prepend sudo to any command we need executed as root.
>
> Now in his mind this is removing a level of security. If someone manages
> to get my password, they also can gain access to root via sudo. IN an
> environment where I have 25+ machines, different passwords for all
> machines is not that workable.
>
> What are other peoples thoughts on this? Where have I gone wrong in
> implementation? What would be your recommendations in this case?
>
Recommendations: use sudo
Main reason: You know that you probably don't had only 5
admins knowing the root password. You probably had 5 admins,
two former admins, three consultant that needed to install some
applications, the user who looked over your shoulder when you
fixed something on his workstation, and the few select friends
he told it to. Now, changing the root password for these five
admins is a hassle, because all needs to be informed, so
probably it is only going to be changed once a year or so (and
probably not even that), it is going to be uninuitive to at
least two of the admins so they are going to write it down
somewhere, and so on...
Compare this with a secure, locked down root password in a
sealed letter in a safe somewhere that only you now what it is,
but everyone know were to find in an emergency + sudo + a sane
password aging policy.
> Cheers,
>
> Stewart
Best Regards
Tobbe
--
######################################################################
Torbjörn Pettersson # Email tobbe@strul.nu
Vattugatan 5 # Web www.strul.nu/~tobbe
S-111 52 Stockholm, Sweden #
######################################################################
Reply to: