Re: sudo questions
On Wed, 14 Aug 2013 12:21:43 -0400
Jerry Stuckle <jstuckle@attglobal.net> wrote:
> On 8/14/2013 12:04 PM, Ralf Mardorf wrote:
> > On Wed, 2013-08-14 at 10:36 -0400, Jerry Stuckle wrote:
> >> However, when I use su, I need to key in the root password before
> >> doing anything. This adds another layer of security to the system.
> >
> > He?
> >
> > Than configure sudo to ask for the password too.
> >
> > [rocketmouse@archlinux ~]$ sudo mcedit
> > [sudo] password for rocketmouse:
> >
> > [rocketmouse@archlinux ~]$
> >
> >
>
> Yes, but it's the same password as the user used to log in. Not much
> security if that password is compromised.
>
> With su, they need to also know the root password to get root access.
>
You might create another user with high sudo privileges, and the third
password, and su to that user from your login account. su isn't only for
root access. Put the new user in the adm group, and you can read (but
not write) most logs without further privilege. It's not much different
from su to root, but it has the sudo advantages of time-expiring the
password and of being required for each command.
You could for that matter sudo from your login account to the new
account, needing the new password, without using su, but this will make
every sudo command longer, and we don't need that.
Also, sudo can require the root password instead of the user's, but I'm
fairly sure this is global, and can't be specified per user or per
command in a multi-user system. I won't swear to that, sudo has been
seriously revamped recently, and I haven't had to deal with it since
then other than fixing it when it broke. It does also have the
capability of using other authentication methods, but this is well
beyond my needs.
--
Joe
Reply to: