Jerry Stuckle wrote: > Darac Marjal wrote: > > I believe the idea is to discourage people from logging in as root. I think it is more one of trying to simplify things for the non-technical user. Having non-technical users deal with one password is hard. Having non-technical users deal with two passwords, one low privilege and one high privilege is very hard. My personal experience comes from dealing with electrical engineers (like me) and ham radio operators (like me) and no one is more surprised than myself about how difficulit teaching those concepts to otherwise very smart people can be. > > Now, I don't believe there's been any active discouragement of doing > > things 'the old way'. It's just that, as linux becomes more popular, it > > needs to become more 'user friendly' - and that means robustness against > > user folly. Full agreement. I think you hit the nail squarely on the head there. > I agree in principle that sudo is better then su. It isn't better. It isn't worse. Using su means one strategy. Using sudo means using a different strategy. They are both rather equivalent. However managing passwords with sudo is somewhat easier in many context such as newbies (only one) and such as group administration (tied to the user). With su and five admins and one leaves then you change the root password and you must distribute the new root password to all admins. With sudo when one admin leaves you simply remove that admin from the sudo list. Personally I prefer ssh rsa keys. It is yet a different security model. No one model is canonically correct or incorrect. They are simply different security models. > The problem I have with it is security; when you use sudo you type > in your own password. So if your password is compromised, the hacker > can do anything the sudo user can do - which may be very bad. There is always going to be some magic cookie that is needed. It is either going to be your password, or root's password, or an ssh rsa key for login, or a one-time-token device, or something. Even a biometric. There is always some critical authentication step. You can move that step around. You can create additional layers such as needing multiple account su stepping. But there will always be a critical section where you can point and say that is the line between low and high privilege. > For instance, I'm the sysadmin on my VPS's. root is blocked from > logging in. However, as sysadmin I need access to pretty much > everything at some time or another. If I allow my id to have sudo > access to everything and someone gets my password, then they can > really screw up the system. > > However, when I use su, I need to key in the root password before > doing anything. This adds another layer of security to the system. > But obviously I don't want to give out the root password to others. But if someone were to put a key logger on your machine they would easily have both. (said mischievously) > What I would like to see is the option to require users to have a > second password (neither their login nor root password) to use sudo. > I know it's another password - but as an option it would increase > security. After working with users often I think that is impractical. People are not good at that type of thing. Therefore it is an impractical default for a distro. However you can easily set this up yourself. You can create as many account layers as you desire. I personally do not think this increases security. It definitely increases annoyance! But simply create an intermediate user account. Then allow the 3rd tier accounts to sudo only to the 2nd tier account. Then only allow the 2nd tier account to sudo to root. You may daisy chain as many accounts as you want creating as many password levels as you desire. user1@sys:~$ sudo -u user2 sudo command user1@sys:~$ alias sudo2='sudo -u user2 sudo' user1@sys:~$ sudo2 command Bob
Attachment:
signature.asc
Description: Digital signature