Re: As seen above: use of su vs sudo

To: debian-user@lists.debian.org
Subject: Re: As seen above: use of su vs sudo
From: The Wanderer <wanderer@fastmail.fm>
Date: Tue, 07 Aug 2018 09:22:07 -0400
Message-id: <[🔎] 5B699CFF.7050203@fastmail.fm>
In-reply-to: <[🔎] 3b318f41-79af-9cbb-cb1e-7ee414554b8e@online.de>
References: <[🔎] 9494b29f-b9a2-7f3b-be33-0824df53aea3@online.de> <[🔎] 5B69806D.7050901@fastmail.fm> <[🔎] 722f650b-7cad-df7e-884a-d3cb994d6f03@online.de> <[🔎] 5B698B9C.1030902@fastmail.fm> <[🔎] 883ba059-4114-f2c7-3240-7f29ea497a63@online.de> <[🔎] 5B699579.9000805@fastmail.fm> <[🔎] 3b318f41-79af-9cbb-cb1e-7ee414554b8e@online.de>

On 2018-08-07 at 09:04, Martin wrote:

> Am 07.08.2018 um 14:50 schrieb The Wanderer:
> 
>> On 2018-08-07 at 08:27, Martin wrote:

>>> So, what is bad with 'sudo -u TARGETUSER YOUR_COMMEND'? How do
>>> you edit a file with su? Invoke a shell? Take a look at
>>> sudoedit!
>> 
>> "su OPTIONAL_USERNAME -c 'YOUR_COMMAND'", or similar, where 
>> 'YOUR_COMMAND' could be 'nano /path/to/file-to-be-edited' - or
>> could be 'sh', if it weren't possible to get a root shell by just
>> running straight 'su' instead.
> 
> Ouch!
> 
> Once you let a user run an editor with escalated privileges, you're
> fu**ed. In almost every editor, you can load a different file, save
> the buffer with a different file name.

Of course.

Again, that comes down to: do you trust this user with elevated access,
or not?

If you don't, you shouldn't be giving them elevated access of any kind.

If you do, then giving them this access doesn't hurt.

If you trust them with only limited elevated access, you should be
giving them access to a more limited role, not to root itself. It may be
reasonable to do that via sudoers (probably with targetpw, though I
haven't finished considering that subject), but it's also reasonable to
do it with separate users for each role.

(Combined with the fact that I didn't say I'd let most users do this; I
said this is what I do myself.)

> That is, why I pointed out the use of 'sudoedit'. You need to warp
> your mind around it, from a security standpoint, the use of 'su' is
> not a good idea in almost all cases.

I'm aware of this tool. It's not something I've ever needed, but it's
certainly valid for its purpose.

> And I still have no idea, what the single case would be, where sudo
> would not be able to do, what you may accomplish using su.

It's not that you can do something with su that you can't do with sudo.

It's that you can do things with sudo that you can't do with su.

Or, rather, that you can do elevated-access things with the same
credentials as are used to permit non-elevated access.

I consider that to be, by definition, a security hole.

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.         -- George Bernard Shaw

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: As seen above: use of su vs sudo
  - From: Michael Stone <mstone@debian.org>
- Re: As seen above: use of su vs sudo
  - From: Martin <keine-eile@online.de>

References:
- As seen above: use of su vs sudo
  - From: Martin Drescher <keine-eile@online.de>
- Re: As seen above: use of su vs sudo
  - From: The Wanderer <wanderer@fastmail.fm>
- Re: As seen above: use of su vs sudo
  - From: Martin <keine-eile@online.de>
- Re: As seen above: use of su vs sudo
  - From: The Wanderer <wanderer@fastmail.fm>
- Re: As seen above: use of su vs sudo
  - From: Martin <keine-eile@online.de>
- Re: As seen above: use of su vs sudo
  - From: The Wanderer <wanderer@fastmail.fm>
- Re: As seen above: use of su vs sudo
  - From: Martin <keine-eile@online.de>

Prev by Date: Re: As seen above: use of su vs sudo
Next by Date: Re: As seen above: use of su vs sudo
Previous by thread: Re: As seen above: use of su vs sudo
Next by thread: Re: As seen above: use of su vs sudo
Index(es):
- Date
- Thread