Tyler Smith wrote: > Doesn't the 'ALL=(ALL) ALL' line give the user unlimited authority > anyways? It isn't about restricting privilege. Both have superuser privilege. It is about the invocation environment. The difference is that: * 'sudo' uses your user password while 'su' uses root's password. With sudo you manage your own password. With su you manage both your password *and* root's password. * 'sudo' uses your editing environment while 'su' uses root's. I am an emacs users. Let's say that you are a vi user. If we both use su then one of us will be frustrated because the command line editing will be the wrong way for us. I leave it the default of emacs and then you as a vi user get the wrong keys. You change it to vi mode and then I as am emacs user get the wrong keys. But with sudo each of us customize our own shell for our own preferences and they don't conflict. * With sudo if I leave the group then my account is disabled. You don't have to change your password. You are using your password and I don't know it. With su if I leave the group then you should change the su password to prevent me from accessing it. Which means that everyone that is sharing the root password needs to get the update all at the same time. Sharing the root password is problematic. Are you going to email it to them? Store it in a readable only by root file on the system? Call everyone? None of those problems with sudo. * Other items that I didn't remember while typing this. Sure if you are the only one using your own machine and nothing else then it doesn't matter. If you are on your own farm and driving on your own farm road then drive on any part of the road that you want! You will see no advantage to any driving rule or convention if you are the only vehicle on the road. But if you are sharing the road with others that is when things like this become important. There are some downsides too. Everything is a tradeoff of some type. If you really want a root shell then there isn't anything preventing either of these following. You are root and you can do what you want. $ su Or $ sudo $SHELL # aka sudo -s > Is there any security benefit to logging in as a user with > unlimited sudo access over just logging in as root? It isn't about security. Although the need to share passwords with su makes it inherently less secure. > I don't see the point of sudo *except* to allow fine-grained control to > select programs to select users. Using it to provide open access seems > counter-productive. Accident prevention is an important safeguard. If you are operating with your normal command line editing environment then you are less likely to make mistakes. I find that most of my command line mistakes have been when I have been out of my normal environment and finger memory doesn't match. When operating as root mistakes can be much more costly. Therefore I try to minimize those problems and create as safe of an operating environment as possible. Safe working environments are fun to work in. Risky ones are stressful. Bob
Attachment:
signature.asc
Description: Digital signature