[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: As seen above: use of su vs sudo



On 2018-08-07 at 09:22, Dave Sherohman wrote:

> On Tue, Aug 07, 2018 at 08:07:56AM -0400, The Wanderer wrote:
> 
>> On 2018-08-07 at 07:47, Martin wrote:
>> 
>>> The point is not, that ONE person needs a root password. All
>>> people intended to do privileged things will have to share this
>>> password. This is a security nightmare!
>> 
>> If they're all trusted enough to be trusted with that password in
>> the first place, this isn't a problem, any more than the one person
>> having it is.
>> 
>> If they aren't trusted enough to have that password, why are we 
>> permitting them to do anything root-level in the first place?
> 
> It's not just a question of trust, but also one of maintenance.
> What happens when one of the people with root access gets a new job?
> 
> Using su and a shared root password:
> - Disable the person's account.
> - Change the root password.
> - Find a secure way to distribute the new password to all the people
>   it's shared by.
> 
> Using sudo:
> - Disable the person's account.
> - Remove the account from /etc/sudoers and/or the sudo group.
> 
> Everyone else with root access is completely unaffected by the
> departure.

That's a valid point.

I'm not sure it's enough to outweigh the other factors underlying my
opinion on the subject (especially not since the computers I'm working
with in the cases at hand aren't work machines, they're home systems,
and the "other users" are either family members or close friends -
although I'll admit the scope of the discussion is broader than that),
but it's definitely an important consideration, and there are contexts
in which it could trump.

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.         -- George Bernard Shaw

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: