[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: As seen above: use of su vs sudo

On Tue, Aug 07, 2018 at 08:07:56AM -0400, The Wanderer wrote:
> On 2018-08-07 at 07:47, Martin wrote:
> > The point is not, that ONE person needs a root password. All people
> > intended to do privileged things will have to share this password.
> > This is a security nightmare!
> 
> If they're all trusted enough to be trusted with that password in the
> first place, this isn't a problem, any more than the one person having
> it is.
> 
> If they aren't trusted enough to have that password, why are we
> permitting them to do anything root-level in the first place?

It's not just a question of trust, but also one of maintenance.  What
happens when one of the people with root access gets a new job?

Using su and a shared root password:
- Disable the person's account.
- Change the root password.
- Find a secure way to distribute the new password to all the people
  it's shared by.

Using sudo:
- Disable the person's account.
- Remove the account from /etc/sudoers and/or the sudo group.

Everyone else with root access is completely unaffected by the
departure.

-- 
Dave Sherohman
Reply to: