Re: sudo questions

To: debian-user@lists.debian.org
Subject: Re: sudo questions
From: Jerry Stuckle <jstuckle@attglobal.net>
Date: Wed, 14 Aug 2013 10:36:21 -0400
Message-id: <[🔎] 520B95E5.3080205@attglobal.net>
In-reply-to: <[🔎] 20130814124404.GA26093@darac.org.uk>
References: <[🔎] 520B5897.9000509@mi.parisdescartes.fr> <[🔎] 20130814124404.GA26093@darac.org.uk>

On 8/14/2013 8:44 AM, Darac Marjal wrote:


I believe the idea is to discourage people from logging in as root. You
can't get rid of root completely (any user with an ID of 0 is root), nor
would you want to. But there have been many a horror story of people
logging in as a super-user (either Root on Linux or Adminstrator on
Windows) for day-to-day work - perhaps to work around some permissions
issue or something.

'sudo' is preferred over 'su' because A) it allows for better control of
who can do what - if you want a user to be able to run 'foo' as root
without being asked for their password, you can do that B) the simple
interface (just adding one keyword before a command line) encourages
users to run JUST ONE command as root - 'su' makes it all too easy to
switch to a root shell and forget to switch back.

Now, I don't believe there's been any active discouragement of doing
things 'the old way'. It's just that, as linux becomes more popular, it
needs to become more 'user friendly' - and that means robustness against
user folly.

I agree in principle that sudo is better then su. The problem I havewith it is security; when you use sudo you type in your own password.So if your password is compromised, the hacker can do anything the sudouser can do - which may be very bad.

For instance, I'm the sysadmin on my VPS's. root is blocked fromlogging in. However, as sysadmin I need access to pretty mucheverything at some time or another. If I allow my id to have sudoaccess to everything and someone gets my password, then they can reallyscrew up the system.

However, when I use su, I need to key in the root password before doinganything. This adds another layer of security to the system. Butobviously I don't want to give out the root password to others.

What I would like to see is the option to require users to have a secondpassword (neither their login nor root password) to use sudo. I knowit's another password - but as an option it would increase security.


Jerry

Reply to:

Follow-Ups:
- Re: sudo questions
  - From: Lars Noodén <lars.nooden@gmail.com>
- Re: sudo questions
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>
- Re: sudo questions
  - From: Bob Proulx <bob@proulx.com>

References:
- sudo questions
  - From: François Patte <francois.patte@mi.parisdescartes.fr>
- Re: sudo questions
  - From: Darac Marjal <mailinglist@darac.org.uk>

Prev by Date: Re: sudo questions
Next by Date: Re: sudo questions
Previous by thread: Re: sudo questions
Next by thread: Re: sudo questions
Index(es):
- Date
- Thread