sudo vs. su (was Re: new to list, new to debian, new to linux)
On Fri, May 22, 2009 at 06:56:18AM -0700, Thorny wrote:
> You've just advised an obvious newbie (stated in post) on how to make his
> system insecure. Giving ALL=(All) ALL rights to a normal user is pretty
> much the same as running as root and is not recommended on a Debian
> system. It is what was asked for, sort of, but he may not have have
> realized the significance.
I have to call shenanigans on this. What's the threat model, exactly,
where it is safer to have a regular user su'ing to root than to have him
use sudo to the same effect?
Suppose that an attacker has managed to execute code under a user's
account (say, through a web browser exploit), and wants to use this as a
stepping stone to root. If the targeted account is in /etc/sudoers with
"ALL=(ALL) ALL" (but *not* NOPASSWD, obviously), then the attacker still
needs to capture the user's password before he can escalate privileges
If the targeted user uses su instead of sudo (and gksu instead of
gksudo), the situation is no better and no worse: if the attacker can
get code to run under the user's account, then he can attempt to log the
user's keystrokes until he obtains the root password.
It *would* be safer to use neither su nor sudo, and only have root log
in on a separate, secure console, thereby eliminating the possibility of
password sniffing from a compromised regular account. However, few
desktop Linux users actually run their computers this way.