Re: As seen above: use of su vs sudo
Am 07.08.2018 um 14:50 schrieb The Wanderer:
> On 2018-08-07 at 08:27, Martin wrote:
>
>> Am 07.08.2018 um 14:07 schrieb The Wanderer:
>>
>>> On 2018-08-07 at 07:47, Martin wrote:
>
>>>> As a system operator, you need some elevated privileges on a
>>>> daily basis. How do you do that without sudo?
>>>
>>> No, I don't. I only need them when I'm doing elevated things, such
>>> as installs or upgrades. (In practice on some machines, I do those
>>> on around a weekly basis or slightly more frequently, but it can
>>> be argued that that's overkill.) The overwhelming majority of what
>>> I do does not require elevated privileges, and the few things
>>> which do are not needed anywhere near daily.
>>
>> Starting and stopping services (e.g. running systemctl), changing
>> configurations, all things you, where individual decisions have to
>> be made, reuire elevated privileges. root in many cases.
>
> And none of those are things I need to do as frequently as on a daily
> basis.
>>> How I do them is by running either "su -c 'command name'", or
>>> simply running 'su' and then running the desired command(s) and
>>> then exiting the root shell.
>>
>> So, what is bad with 'sudo -u TARGETUSER YOUR_COMMEND'? How do you
>> edit a file with su? Invoke a shell? Take a look at sudoedit!
>
> "su OPTIONAL_USERNAME -c 'YOUR_COMMAND'", or similar, where
> 'YOUR_COMMAND' could be 'nano /path/to/file-to-be-edited' - or could be
> 'sh', if it weren't possible to get a root shell by just running
> straight 'su' instead.
Ouch!
Once you let a user run an editor with escalated privileges, you're fu**ed. In almost every editor, you can load a different file, save the buffer with a different file name.
That is, why I pointed out the use of 'sudoedit'. You need to warp your mind around it, from a security standpoint, the use of 'su' is not a good idea in almost all cases.
And I still have no idea, what the single case would be, where sudo would not be able to do, what you may accomplish using su.
[...]
Reply to: