[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: As seen above: use of su vs sudo

On 2018-08-07 at 09:04, Martin wrote:

> Am 07.08.2018 um 14:50 schrieb The Wanderer:
>> On 2018-08-07 at 08:27, Martin wrote:

>>> So, what is bad with 'sudo -u TARGETUSER YOUR_COMMEND'? How do
>>> you edit a file with su? Invoke a shell? Take a look at
>>> sudoedit!
>> "su OPTIONAL_USERNAME -c 'YOUR_COMMAND'", or similar, where 
>> 'YOUR_COMMAND' could be 'nano /path/to/file-to-be-edited' - or
>> could be 'sh', if it weren't possible to get a root shell by just
>> running straight 'su' instead.
> Ouch!
> Once you let a user run an editor with escalated privileges, you're
> fu**ed. In almost every editor, you can load a different file, save
> the buffer with a different file name.

Of course.

Again, that comes down to: do you trust this user with elevated access,
or not?

If you don't, you shouldn't be giving them elevated access of any kind.

If you do, then giving them this access doesn't hurt.

If you trust them with only limited elevated access, you should be
giving them access to a more limited role, not to root itself. It may be
reasonable to do that via sudoers (probably with targetpw, though I
haven't finished considering that subject), but it's also reasonable to
do it with separate users for each role.

(Combined with the fact that I didn't say I'd let most users do this; I
said this is what I do myself.)

> That is, why I pointed out the use of 'sudoedit'. You need to warp
> your mind around it, from a security standpoint, the use of 'su' is
> not a good idea in almost all cases.

I'm aware of this tool. It's not something I've ever needed, but it's
certainly valid for its purpose.

> And I still have no idea, what the single case would be, where sudo
> would not be able to do, what you may accomplish using su.

It's not that you can do something with su that you can't do with sudo.

It's that you can do things with sudo that you can't do with su.

Or, rather, that you can do elevated-access things with the same
credentials as are used to permit non-elevated access.

I consider that to be, by definition, a security hole.

   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.         -- George Bernard Shaw

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: