[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: As seen above: use of su vs sudo

On 2018-08-07 at 09:09, Nicolas George wrote:

> The Wanderer (2018-08-07):
> The superiority of sudu over su in this particular case is that it
> does not require an extra level of quoting.

I don't consider that a significant downside; in some contexts, it may
even be an advantage.

>> But it's more secure to require a second password to do elevated
>> things than to permit doing those things with the same password as
>> is used for ordinary activities.
> That not necessarily true. A second password used for rare cases
> often means a password on a post-it under the keyboard.

An inclination in the direction of doing that would be a mark against
that user being considered sufficiently trustworthy to have the elevated
access to begin with.

>> Not usually; this is a desktop machine, not a server. Most logins
>> are done from a position of physical access.
>> Also, part of my entire point is that the "let users type their
>> password to confirm authorization to do elevated things" approach
>> means that anyone who learns the user's password can *both* log in
>> as the user *and* do those elevated things, which is clearly less
>> secure than if that just made it possible to log in as that user.
> Anyone who learns the user's password can obtain the second password 
> pretty easily.

How so?

> Also, remember that what is really precious is access to user
> accounts. Root access is only a means to access any user's account.
> On a single-user machine, it is one and the same.

There's a point there, but I do consider the rest of the system (beyond
just the user's account) to be something worth securing, even on a
single-user system.

   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.         -- George Bernard Shaw

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: